Arlo Cash Rewards

  • Points – $1,200 per vulnerability
  • Up to $15,000 maximum reward
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

83 vulnerabilities rewarded

Validation within about 8 hours
75% of submissions are accepted or rejected within about 8 hours

$730 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

About Arlo Cash Rewards Program

This program encourages and rewards contributions by developers and security researchers who help make Arlo’s products more secure. Arlo provides monetary rewards and kudos for qualifying vulnerability submissions to this program. For submissions outside the scope of this program Arlo rewards Kudos points. Please click on the following link to the Arlo Kudos Rewards Program.

NETGEAR products have their own Bug Bounty program. Please click the following link to NETGEAR Cash Rewards Program.

A note about business impact
arlo appreciates the efforts and contributions from the security research community. In order to provide researchers with timely and accurate rewards, arlo requests that submitters include a statement about perceived impact to arlo, along with the submission details. Not only will this help arlo reproduce, rate and reward your findings in a timely manner --- it is likely to help improve the severity score of your finding as well!

In Scope:

For device testing, the following features are eligible for cash rewards:

Product Firmware Web Management Client Apps Cloud Infrastructure
Arlo Video Doorbell X X X X
Arlo Security Light X X X X
Arlo Bridge X X X X
Arlo Pro 3 X X X X
Arlo Pro 2 X X X X
Arlo Pro X X X X
Arlo X X X X
Arlo Base Station X X X X
Arlo Go X X X X
Arlo Q X X X X
Arlo Q+ X X X X
Arlo Baby X X X X
Arlo Ultra X X X X
Arlo Floodlight X X X X
Arlo Essential X X X X
Arlo Andoid App X X X X
Arlo iOS App X X X X

Only vulnerabilities found in the latest version of the above are eligible. Targets listed below denote Cloud Infrastructure that support in-scope devices and are included in scope:

Reward range

Last updated

Technical severity Reward range
p1 Critical Up to: $1,200
p2 Severe Up to: $600
p3 Moderate Up to: $300
p4 Low Up to: $150
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Tags
Arlo Security Light IoT
  • IoT
Arlo Bridge IoT
  • IoT
Arlo Pro 3 IoT
  • IoT
Arlo Pro 2 IoT
  • IoT
Arlo Pro IoT
  • IoT
Arlo IoT
  • IoT
Arlo Base Station IoT
  • IoT
Arlo Ultra IoT
  • IoT
Arlo Go IoT
  • IoT
Arlo Q IoT
  • IoT
Arlo Q+ IoT
  • IoT
Arlo Baby IoT
  • IoT
Arlo iOS App iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
Arlo Android App Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
Arlo Web App Website Testing
  • Website Testing
Arlo APIs API Testing
  • API Testing
  • HTTP Website Testing
  • AWS
  • jQuery
  • Microsoft IIS
  • Website Testing Website Testing
  • Moment.js
  • Zone.js
  • Angular
  • Java
  • Website Testing Website Testing
  • Website Testing Website Testing
  • Website Testing Website Testing
  • AWS
  • jQuery
  • Website Testing
Arlo Video Doorbell IoT
  • IoT
Arlo Floodlight IoT
  • IoT
Arlo Essential IoT
  • IoT API Testing
  • API Testing

Out of Scope:

  • All Arlo products and properties not explicitly denoted in Targets, excluding High Impact Submissions as described below
  • All vulnerabilities submitted to the NETGEAR Cash Rewards Program

Priority and Reward Guidelines

The Arlo Product Security team, at their sole discretion, determines the nature and impact of the vulnerabilities disclosed including, but not limited to, leveraging CVSS rating methodology to identify the appropriate payouts.

The first valid submission to alert Arlo of a previously unknown issue qualifies for reward. Arlo builds products using a common platform and framework. Multiple products sometimes inherit the same vulnerability. When determining bounty awards, Arlo grants a single award that accounts for all affected products.

All issues around login and access are of particular concern. Most login submissions classified as P5s will likely be elevated to P4 or greater issues.

High Impact Rewards

Arlo rewards submissions that Arlo determines meets a below High Impact outcome. Arlo includes all products and services in scope for these rewards. Cash Rewards will be awarded based on the following:

  • $15,000

    • Unauthorized Access to all Arlo cloud storage video files
    • Unauthorized Access to all Arlo live video feeds
  • $10,000

    • Remote Unauthorized access to only a single Arlo account’s live video feed (via the publicly accessible internet - i.e. not on the same LAN)
    • Remote Unauthorized access to only a single Arlo account’s cloud storage video files (via the publicly accessible internet - i.e. not on the same LAN)
    • Remote Unauthorized access to full Arlo database

Program Exclusions

  • Duplicate reports of security issues, including security issues identified internally
  • Attacks against Arlo AWS infrastructure
  • Automated scanning attacks
  • Social engineering (e.g. phishing, vishing)
  • Physical attacks such as office access (e.g., open doors, tailgating)
  • Distributed Denial of Service attacks and Denial of Service attacks
  • UI bugs, UX bugs, and spelling mistakes
  • Violations of licenses or other restrictions applicable to any vendor's product
  • Vulnerabilities that are a result of malware
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded
  • Issues determined to be low impact may be excluded
  • Discovery of any in-use service whose version contains known vulnerabilities (such as a specific version of OpenSSL, Apache, Tomcat, etc.) without a demonstration of intrusion, information retrieval, or service disruption using that vulnerability
  • Issues related to email misconfiguration (DMARC, etc)
  • Issues related to rate limiting
  • Any session management vulnerabilities related to

Legal Terms and Conditions

In addition to these Terms and Conditions regarding the Arlo Responsible Disclosure Program (the "Program"), there may be additional restrictions depending upon applicable local laws.

  1. The parties to this Agreement are you and Arlo Technologies, Inc.
  2. "Arlo" refers to Arlo Technologies, Inc. and its affiliates.
  3. By submitting the security bug, you affirm that you have not disclosed and agree that you will not disclose the security bug to anyone other than Arlo. Absent Arlo's prior written consent, any disclosure outside of this process would violate this Agreement. You agree that money damages may not be a sufficient remedy for a breach of this paragraph by you and that Arlo will be entitled to specific performance as a remedy for any such breach. Such remedy will not be deemed to be the exclusive remedy for any such breach but will be in addition to all other remedies available at law or equity to Arlo.
  4. By submitting information about a potential security bug, you are granting Arlo a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing security bugs in Arlo’s products and services.
  5. In the event of substantially duplicate submissions, Arlo may at its discretion provide a Reward only for the earliest received submission. Eligibility for Rewards, determination of the recipients, and amount of Reward is at the discretion of Arlo.
  6. If issues reported to our bug bounty program affect a third party or another vendor, Arlo reserves the right to forward details of the issue along to the party without further discussion with the researcher.
  7. You are responsible for all taxes associated with and imposed on any Reward you may receive from Arlo.
  8. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited.
  9. If you inadvertently access proprietary customer, employee, or business related information during your testing, the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the data must be declared within your submission.
  10. Your testing activities must not negatively impact Arlo, Arlo’s products or services generally, or Arlo's online environment availability or performance.
  11. Arlo may choose not to remediate at its sole discretion.
  12. This Agreement constitutes the entire agreement of the parties with respect to the items listed above. This Agreement is covered by California law. This Agreement may be amended or modified only by a subsequent agreement in writing.
  13. If any portion of this Agreement is found to be illegal or unenforceable, then the parties will be relieved of their responsibilities arising under such a portion, but only to the extent that such portion is illegal or unenforceable.
  14. You must not be the author of the code with the vulnerability.
  15. You must not be an Arlo employee, contractor, or a family member of an employee or contractor.



This bounty follows Bugcrowd’s Public Disclosure Policy.

Requests to disclose the results of a submission will be considered on a case by case basis and require explicit prior written consent from Arlo.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.