Security Researcher and Reporting Program

Last updated on August 15, 2018

We value the security research community.

The disclosure of security vulnerabilities by security researchers helps us ensure the security and privacy of our users, and we will give researchers free hardware as long as they continue submitting security issues to us. All we ask is a reasonable amount of time to resolve the issues you submit. In return, we aim to be transparent about how we approach securing our products so that everyone in the area of the Internet of Things, home automation and networked devices can benefit.

Research Guidelines

Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.If you believe you have found a privacy issue, only use your test accounts to verify it's existence.Perform research only within the scope set out below.Use the identified communication channels to report vulnerability information to us.Keep information about any vulnerabilities you've discovered confidential between yourself and iam+ Inc until we've had at least 90 days to resolve the issue.**Due to the nature of patching firmware and hardware issues, we may require additional time in some cases. We will make every effort to provide realistic timelines on when we can expect to resolve issues you discover.

Reasonable Disclosure Policy

If you follow these guidelines when reporting an issue to us we commit to:

  • Not institute a civil legal action against you and not support a criminal investigation.
  • Work with you to understand and resolve the issue quickly (confirming the report within 72 hours of submission).
  • Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
  • Provide free hardware when new devices are available to those that have previously submitted confirmed issues to us.

Out of Scope

Any services hosted by 3rd party providers and services are excluded from scope. These services include:

  • Heroku
  • AWS
  • Hockey App
  • Third-party add-ons
  • [Other 3rd Party Services]

In the interest of the safety of our users, staff, the Internet at large and you as the security researcher, the following test types are excluded from scope and not eligible for a reward:

  • Findings from physical testing such as office access (e.g. open doors, tailgating)
  • Findings derived primarily from social engineering (e.g. phishing, vishing)
  • Findings from applications or systems not listed in the ‘Targets’ section
  • Functional, UI and UX bugs and spelling mistakes
  • vNetwork level Denial of Service (DoS/DDoS) vulnerabilities

Things we do not want to see:

Personally identifiable information of users (PII) that you may have found during your research unless it's PII from your test account.

Submit an issue

To report a potential security vulnerability or concern, please contact A iam+ Security Incident Response Team member will review and respond to your submission within 48 hours, depending on the severity of the concern. iam+ supports encrypted emails via PGP (iam+'s public PGP key).

If you believe that iam+ data or systems are at risk, please include the following details in your email:

  • A brief summary of the activity being reported (i.e. what iam+ information is being degraded, disclosed, or denied)
  • Email, domain name, or IP address involved
  • How the activity was detected

If you believe you have discovered a vulnerability in a iam+ product, please include the following details in your email:

  • Subject line must have PSIRT
  • iam+ product name(s) and version(s)
  • Description of the concern or vulnerability (e.g. privilege escalation, buffer overflow, SQL injection, cross-site scripting)
  • Information to help our team replicate the issue (e.g. configuration details, a proof-of-concept, or exploit code)

Thank you for participating, it is your work that will help keep us secure.