About Arlo Kudos Rewards Program
This program encourages and rewards contributions by developers and security researchers who help make Arlo’s products more secure. Arlo provides kudos points for qualifying vulnerability submissions to this program. In addition to this program Arlo offers a Cash Reward Program that includes large payouts for eligible High Impact Submissions. If you believe you have found a vulnerability that meets the criteria for a cash reward please submit it to the Arlo Cash Rewards Program.
Everything not covered by the Arlo Cash Rewards Program
Priority and Reward Guidelines
Arlo issues kudos points for any issue deemed unique, valid, and at least a P4 in Bugcrowd’s Vulnerability Rating Taxonomy (VRT).
All issues around login and access are of particular concern. Most login submissions classified as P5s will likely be elevated to P4 or greater issues.
- Duplicate reports of security issues, including security issues that have already been identified internally
- Automated scanning attacks
- Social engineering (e.g. phishing, vishing)
- Physical attacks such as office access (e.g., open doors, tailgating)
- Distributed Denial of Service attacks and Denial of Service attacks
- UI bugs, UX bugs, and spelling mistakes
- Violations of licenses or other restrictions applicable to any vendor's product
- Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded
- Discovery of any in-use service whose version contains known vulnerabilities (such as a specific version of OpenSSL, Apache, Tomcat, etc.) without a demonstration of intrusion, information retrieval, or service disruption using that vulnerability
Legal Terms and Conditions
In addition to these Terms and Conditions regarding the Arlo Responsible Disclosure Program (the "Program"), there may be additional restrictions depending upon applicable local laws.
- The parties to this Agreement are you and Arlo Technologies, Inc.
- "Arlo" refers to Arlo Technologies, Inc. and its affiliates.
- By submitting the security bug, you affirm that you have not disclosed and agree that you will not disclose the security bug to anyone other than Arlo. Absent Arlo's prior written consent, any disclosure outside of this process would violate this Agreement. You agree that money damages may not be a sufficient remedy for a breach of this paragraph by you and that Arlo will be entitled to specific performance as a remedy for any such breach. Such remedy will not be deemed to be the exclusive remedy for any such breach but will be in addition to all other remedies available at law or equity to Arlo.
- By submitting information about a potential security bug, you are granting Arlo a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing security bugs in Arlo’s products and services.
- In the event of substantially duplicate submissions, Arlo may at its discretion provide a Reward only for the earliest received submission. Eligibility for Rewards, determination of the recipients, and amount of Reward is at the discretion of Arlo.
- If issues reported to our bug bounty program affect a third party or another vendor, Arlo reserves the right to forward details of the issue along to the party without further discussion with the researcher.
- You are responsible for all taxes associated with and imposed on any Reward you may receive from Arlo.
- You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited.
- If you inadvertently access proprietary customer, employee, or business related information during your testing, the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the data must be declared within your submission.
- Your testing activities must not negatively impact Arlo, Arlo’s products or services generally, or Arlo's online environment availability or performance.
- Arlo may choose not to remediate at its sole discretion.
- This Agreement constitutes the entire agreement of the parties with respect to the items listed above. This Agreement is covered by California law. This Agreement may be amended or modified only by a subsequent agreement in writing.
- If any portion of this Agreement is found to be illegal or unenforceable, then the parties will be relieved of their responsibilities arising under such portion, but only to the extent that such portion is illegal or unenforceable.
- You must not be the author of the code with the vulnerability.
- You must not be an Arlo employee, contractor, or a family member of an employee or contractor.
ARLO RESERVES THE RIGHT TO MODIFY OR CANCEL THE ARLO RESPONSIBLE DISCLOSURE PROGRAM AT ANY TIME WITHOUT NOTICE. ALL PARTICIPANTS AND SUBMISSIONS ARE STRICTLY VOLUNTARY. THIS OFFER IS VOID WHERE PROHIBITED BY LAW AND IN PARTICIPATING, YOU MUST NOT VIOLATE ANY LAW. YOU ALSO MUST NOT DISRUPT ANY SERVICE OR COMPROMISE ANYONE’S DATA.
This bounty follows Bugcrowd’s Public Disclosure Policy.
Requests to disclose the results of a submission will be considered on a case by case basis and require explicit prior written consent from Arlo.