NETGEAR Cash Rewards

  • $150 – $1,200 per vulnerability
  • Up to $15,000 maximum reward
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

1038 vulnerabilities rewarded

Validation within about 1 month
75% of submissions are accepted or rejected within about 1 month

$866.66 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

About NETGEAR Cash Rewards Program

NETGEAR’s mission is to be the innovative leader in connecting the world to the internet. To achieve this mission, we must earn and maintain our customers’ trust by protecting the privacy and security of their data.

This program encourages and rewards contributions by developers and security researchers who help make NETGEAR’s products more secure. NETGEAR provides monetary rewards and kudos for qualifying vulnerability submissions to this program. For submissions outside the scope of this program NETGEAR rewards Kudos points. Please click on the following link to the NETGEAR Kudos Rewards Program.

Arlo products have their own Bug Bounty program. Please click the following link to the Arlo Cash Rewards Program.


Only the following products are eligible for cash rewards:

Product Firmware Router Web Management Mobile Apps Type
Nighthawk Pro Gaming Routers X X X IoT
Nighthawk Pro Gaming Switches X X X IoT
Nighthawk Routers X X X IoT
Nighthawk Switches X X X IoT
Orbi X X X IoT
Insight Managed Smart Cloud Wireless Access Points X X X IoT / Web

Only the vulnerabilities found in the latest version of the above are eligible. To find the latest version, search by model number at NETGEAR Support. Targets listed below denote Cloud Infrastructure that support in-scope devices and are included in scope:


In scope

Target name Type Tags
Nighthawk Pro Gaming Router IoT
  • IoT
Nighthawk Pro Gaming Switch IoT
  • IoT
Nighthawk Router IoT
  • IoT
Nighthawk Switch IoT
  • IoT
Nighthawk iOS App iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
Nighthawk Android App Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
Orbi IoT
  • IoT
Orbi iOS App iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
Orbi Android App Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
Insight Managed Smart Cloud Wireless Access Point IoT
  • IoT API Testing
  • API Testing
  • HTTP
Insight iOS App iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
Insight Android App Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin Website Testing
  • Website Testing
Insight Cloud Portal Website Testing
  • Website Testing

Testing is only authorized on the targets listed as In-Scope. Any domain/property of NETGEAR not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to before submitting.

Out of Scope:

  • All NETGEAR products and properties not explicitly denoted in Targets, excluding High Impact Submissions as described below
  • All products covered by the Arlo Cash Rewards Program.

Priority and Reward Guidelines

The NETGEAR Product Security team, at their sole discretion, determine the nature and impact of the vulnerabilities disclosed including, but not limited to, leveraging CVSS rating methodology to identify the appropriate payouts.

The first valid submission to alert NETGEAR of a previously unknown issue qualifies for reward. Reward guidelines are based on the default configuration of devices, where applicable. NETGEAR builds products using a common platform and framework. Multiple products sometimes inherit the same vulnerability. When determining bounty rewards, NETGEAR grants a single reward that accounts for all affected products.

Rewards for in-scope NETGEAR Products Only:

Priority Reward ($)
P1 $1,200
P2 $600
P3 $300
P4 $150

Note: NETGEAR uses CVSS to consistently score security vulnerabilities. Where discrepancies between the VRT and CVSS score exist, NETGEAR will defer to the CVSS score to determine the priority.

High Impact Rewards

NETGEAR rewards eligible submissions to researchers who report a vulnerability (or series of vulnerabilities) that demonstrably leads to one or more of the following results. NETGEAR includes all in-scope Products listed above as targets for these rewards. Cash Rewards will be awarded based on the following:

  • $15,000

    • Remote Unauthorized Access to administer a NETGEAR device (via the publicly accessible internet - e.g. not on the same LAN) with default device settings
  • $10,000

    • Remote Unauthorized Access to full NETGEAR customer database. Same vulnerability submission is not allowed for different entry point.

Program Exclusions

  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Duplicate reports of security issues, including security issues that have already been identified internally
  • Attacks against NETGEAR AWS infrastructure
  • Automated scanning attacks
  • Social engineering (e.g. phishing, vishing)
  • Physical attacks such as office access (e.g., open doors, tailgating)
  • Distributed Denial of Service attacks and Denial of Service attacks
  • UI, UX bugs, and spelling mistakes
  • Usability issues
  • Violations of licenses or other restrictions applicable to any vendor's product
  • Vulnerabilities that are a result of malware
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded
  • Issues determined to be low impact may be excluded
  • Discovery of any in-use service whose version contains known vulnerabilities (such as a specific version of OpenSSL, Apache, Tomcat, etc.) without a demonstration of intrusion, information retrieval, or service disruption using that vulnerability
  • This program does not allow, without permission, researchers to leverage the findings of one vulnerability to create further exploits to then test normally inaccessible functionality, e.g. using leaked API keys or IP information for example. If you have any assumptions that a vulnerability can be leveraged to a greater degree, please request permission in your original report for the vulnerability

Legal Terms and Conditions

In addition to these Terms and Conditions regarding the NETGEAR Responsible Disclosure Program (the "Program"), there may be additional restrictions depending upon applicable local laws.

  1. The parties to this Agreement are you and NETGEAR.
  2. "NETGEAR" refers to NETGEAR, Inc. and its affiliates.
  3. By submitting the security bug, you affirm that you have not disclosed and agree that you will not disclose the security bug to anyone other than NETGEAR. Any disclosure outside of this process would violate this Agreement. You agree that money damages may not be a sufficient remedy for a breach of this paragraph by you and that NETGEAR will be entitled to specific performance as a remedy for any such breach. Such remedy will not be deemed to be the exclusive remedy for any such breach but will be in addition to all other remedies available at law or equity to NETGEAR.
  4. By submitting information about a potential security bug, you are granting NETGEAR a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing security bugs in NETGEAR’s products and services.
  5. In the event of substantially duplicate submissions, NETGEAR may at its discretion provide a Reward only for the earliest received submission. Eligibility for Rewards, determination of the recipients, and amount of Reward is at the discretion of NETGEAR.
  6. If issues reported to our bug bounty program affect a third party or another vendor, NETGEAR reserves the right to forward details of the issue along to the party without further discussion with the researcher.
  7. You are responsible for all taxes associated with and imposed on any Reward you may receive from NETGEAR.
  8. You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited.
  9. If you inadvertently access proprietary customer, employee, or business related information during your testing, the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the data must be declared within your submission.
  10. Your testing activities must not negatively impact NETGEAR, NETGEAR’s products or services generally, or NETGEAR's online environment availability or performance.
  11. NETGEAR may choose not to remediate at its sole discretion.
  12. This Agreement constitutes the entire agreement of the parties with respect to the items listed above. This Agreement is covered by California law. This Agreement may be amended or modified only by a subsequent agreement in writing.
  13. If any portion of this Agreement is found to be illegal or unenforceable, then the parties will be relieved of their responsibilities arising under such portion, but only to the extent that such portion is illegal or unenforceable.
  14. You must not be the author of the code with the vulnerability.
  15. You must not be a NETGEAR employee, contractor, or a family member of an employee or contractor.



This bounty follows Bugcrowd’s Public Disclosure Policy.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.