Welcome to the NETGEAR Responsible Disclosure Program!

NETGEAR’s mission is to be the innovative leader in connecting the world to the internet. To achieve this mission, we must earn and maintain the trust of our users that we will protect the privacy and security of their data.

We appreciate having security concerns brought to our attention and are constantly monitoring our products to get in front of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at NETGEAR. Every day new security issues develop. NETGEAR strives to keep up-to-date on the latest security developments by working with both security researchers and companies. We appreciate the community's efforts in creating a more secure world.

This program encourages and rewards contributions by developers and security researchers who help make NETGEAR’s products more secure. Through this program NETGEAR provides monetary rewards or points for security vulnerabilities responsibly disclosed to us.

The following explains the details of the program. If you are new to our Program, please be sure to review the following sections prior to making a submission.

Guidelines

The NETGEAR Responsible Disclosure Program is exclusively for security vulnerabilities relating to NETGEAR products and their associated services. Anything that does not relate directly to a NETGEAR product is out of scope (e.g. marketing websites, support, etc - examples of this include netgear.com, etc). However, so long as the domain is used directly by a NETGEAR product, it is in scope - for example, https://apistaging.netgear.com is in scope, but https://netgear.com is not.

If you have found a security bug in any NETGEAR product and want to report it to us, please click on the “Report Bug” button (in the top right corner) to submit the claim to NETGEAR’s Responsible Disclosure Program.

Responsible Disclosure

This Program follows Bugcrowd’s standard disclosure terms This Program requires explicit prior written consent from NETGEAR to disclose the results of a submission.

Types of Responsible Disclosure Program

NETGEAR is offering 2 types of security vulnerability disclosure programs.

Kudos Program

  • All Netgear products not listed within the Cash Reward Program qualify for Kudos
  • No Denial of Service Attacks of any kind. DoS and DDoS attacks do not qualify for Kudos.
  • Rewards – (points)
  • Issues submitted must be using the latest software version.
  • To check for the latest version, search by model number at NETGEAR SUPPORT

Cash Reward Program

  • Reward – cash (US Dollars)
  • ONLY the following products are eligible for a cash reward
  • Only Issues submitted for the latest version number are eligible for reward.
  • To check for the latest version, search by model number at NETGEAR SUPPORT
  • No Denial of Service Attacks of any kind. DoS and DDoS attacks do not qualify for Cash.
Product Firmware Web Management Client Apps Cloud Infrastructure
Arlo (Wire-Free) X X X X
Arlo (Q) X X X X
Arlo Pro X X X X
Nighthawk X8 X X
Nighthawk X4S X X
Orbi X X
Payout Up To Expected Outcome
$15,000 Unauthorized access to NETGEAR cloud storage video files for all customers
$15,000 Unauthorized access to live video feeds of all NETGEAR customers
$15,000 Remote Unauthorized access to administer another NETGEAR customer's router (via the publicly accessible internet - e.g. not on the same LAN) with default router settings
$10,000 Remote Unauthorized access to only a single NETGEAR customer live video feed (via the publicly accessible internet - e.g. not on the same LAN)
$10,000 Remote Unauthorized access to only a single NETGEAR customer cloud storage video files (via the publicly accessible internet - e.g. not on the same LAN)
$10,000 Retrieve all customer payment information -16 Digit credit card numbers, CVV
$5,000 Retrieve only a single customer's payment information -16 Digit credit card number, CVV
$5,000 Retrieve complete NETGEAR customer's database -Must have elements: Name, Email address, Password, Products owned
$1,500 Working SQL Injection on Cloud Infrastructure (excluding Firmware, Web Management & Client Apps)
$1,000 Working Stored XSS from lower to higher privilege users on Cloud Infrastructure (excluding Firmware, Web Management & Client Apps)

All vulnerabilities ranked P4 and higher in the Bugcrowd VRT will be evaluated by NETGEAR on a case by case basis - and if deemed something that will be fixed, issues on the aforementioned targets will be rewarded at a minimum of $150 - or more - depending on severity and impact. It's important to note that this program does not follow the Bugcrowd VRT for vulnerability prioritization, but does use the baseline that anything below a P4, is something that won't be result in a reward.

The above outlines the guidelines for cash rewards for in-scope properties. Keep in mind that no two bugs are created equal. The NETGEAR Security team, at their sole discretion, will determine the nature and impact of the bugs to identify the appropriate payouts around these guidelines. Each submission is evaluated by NETGEAR on the basis of first-in, best dressed.

You will qualify for a reward if you were the first person to alert NETGEAR to a previously unknown issue. If a single bug affects multiple products, we will only grant a single award that accounts for the impact to all affected products. NETGEAR products are sometimes built on a common platform and framework. A vulnerability found in one product may therefore exist in others. When determining bounty awards, we will only grant a single award that accounts for the impact to all affected products.

Chaining Bugs

Chaining of bugs is encouraged to demonstrate a higher impact and receive rewards. Participants are asked to report the bugs as they are found and those can then be used as a part of a chain submission by the participant any time during the next six months. Only the first person to file a bug can use it as a part of their "chain" submission, so file early and file often!

In addition, participants who submit a "chain" will be invited to contribute to a short technical report on their research, which will be posted on the NETGEAR Product Security Advisory Page Blog.

If you report a unique chain vulnerability, with a minimum of 3 bugs, in addition to the cash reward for each individual bug in the chain, NETGEAR will apply a "Chain Bonus" for the bug that results from the chain. The "Chain Bonus" amount will be 3X the reward for the final expected outcome.

When submitting a chain of bugs, please create a new submission (separate from any prior submissions), detailing the exploit chain, and referencing any of your earlier submissions that are used in the chain. These chains will be exclusively reviewed by NETGEAR, and rewarded at their discretion.

All other active NETGEAR products do not pay out monetary rewards - Points Only

In addition, the submitter:
• Must not be the author of the code with the vulnerability
• Must not be a NETGEAR employee, contractor,or a family member of employee or contractor

Things we do not want to receive:
• Personally identifiable information (PII)
• Credit card holder data

The NETGEAR Responsible Disclosure Program applies to both Kudos and Cash Reward Programs.

Targets

In scope

  • Please note that only the below targets qualify for cash rewards
  • Orbi Firware, Web Management App
  • Nighthawk X8 Firmware, Web Management App
  • Nighthawk X4S Firmware, Web Management App
  • Netgear Arlo Firmware, Web Management App, Client App and cloud infrastructure
  • https://arlo.netgear.com (NO DOS)
  • http://updates.netgear.com (NO DOS)
  • https://updates.netgear.com/arlo (NO DOS)
  • https://api.netgear.com (NO DOS)
  • https://arlo-device.messaging.netgear.com/ (NO DOS)

Out of scope

  • No Denial of Service (DoS) or Distributed Denial of Service (DDoS) Attacks of ANY kind

Program Exclusions

The following finding types are specifically excluded from this program:

There are categories of bugs which are definitively excluded from reward in the NETGEAR Responsible Disclosure Program:
• Netgear.com, ARLO.com marketing and support websites
• Attacks against NETGEAR AWS infrastructure
• Automated scanning attacks
• Social engineering (e.g. phishing, vishing)
• Physical attacks such as office access (e.g., open doors, tailgating)
• Distributed Denial of Service attacks and Denial of Service attacks
• UI and UX bugs and spelling mistakes
• Usability issues
• Violations of licenses or other restrictions applicable to any vendor's product
• Duplicate reports of security issues, including security issues that have already been identified internally
• Reports of missing SPF records for domains with no MX record
• Vulnerabilities that are a result of malware
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded
• Issues determined to be low impact may be excluded
• Discovery of any in-use service whose version contains known vulnerabilities (such as a specific version of OpenSSL, Apache, Tomcat, etc.) without a demonstration of intrusion, information retrieval, or service disruption using that vulnerability
• NETGEAR support chat functionality on any of NETGEAR externally facing assets

Vulnerabilities that are disclosed to any party other than NETGEAR, including vulnerability brokers, will usually not qualify for Responsible Disclosure Program reward. This includes both full public disclosure and limited private release.

Terms and Conditions

In addition to these Terms and Conditions regarding the NETGEAR Responsible Disclosure Program (the "Program"), there may be additional restrictions depending upon applicable local laws.

  1. The parties to this Agreement are you and NETGEAR.
  2. "NETGEAR" refers to NETGEAR, Inc. and its affiliates.
  3. By submitting the security bug, you affirm that you have not disclosed and agree that you will not disclose the security bug to anyone other than NETGEAR. Absent NETGEAR's prior written consent, any disclosure outside of this process would violate this Agreement. You agree that money damages may not be a sufficient remedy for a breach of this paragraph by you and that NETGEAR will be entitled to specific performance as a remedy for any such breach. Such remedy will not be deemed to be the exclusive remedy for any such breach but will be in addition to all other remedies available at law or equity to NETGEAR.
  4. By submitting information about a potential security bug, you are granting NETGEAR a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing security bugs in NETGEAR’s products and services.
  5. In the event of substantially duplicate submissions, NETGEAR may at its discretion provide a Reward only for the earliest received submission. Eligibility for Rewards, determination of the recipients, and amount of Reward is at the discretion of NETGEAR.
  6. If issues reported to our bug bounty program affect a third party or another vendor, NETGEAR reserves the right to forward details of the issue along to the party without further discussion with the researcher.
  7. You are responsible for all taxes associated with and imposed on any Reward you may receive from NETGEAR.
  8. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited.
  9. If you inadvertently access proprietary customer, employee, or business related information during your testing, the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the data must be declared within your submission.
  10. Your testing activities must not negatively impact NETGEAR, NETGEAR’s products or services generally, or NETGEAR's online environment availability or performance.
  11. NETGEAR may choose not to remediate at its sole discretion.
  12. This Agreement constitutes the entire agreement of the parties with respect to the items listed above. This Agreement is covered by California law. This Agreement may be amended or modified only by a subsequent agreement in writing.
  13. If any portion of this Agreement is found to be illegal or unenforceable, then the parties will be relieved of their responsibilities arising under such portion, but only to the extent that such portion is illegal or unenforceable.

NETGEAR RESERVES THE RIGHT TO MODIFY OR CANCEL THE NETGEAR RESPONSIBLE DISCLOSURE PROGRAM AT ANY TIME WITHOUT NOTICE. ALL PARTICIPANTS AND SUBMISSIONS ARE STRICTLY VOLUNTARY. THIS OFFER IS VOID WHERE PROHIBITED BY LAW AND IN PARTICIPATING, YOU MUST NOT VIOLATE ANY LAW. YOU ALSO MUST NOT DISRUPT ANY SERVICE OR COMPROMISE ANYONE’S DATA.

Rules

This program follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.