SmartThings Vulnerability Disclosure

  • Points per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

25 vulnerabilities rewarded

Latest hall of famers

Recently joined this program

149 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

SmartThings lets you easily monitor, control, and secure your home from anywhere in the world.

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

This program only awards points for VRT based submissions.


In scope

Target name Type Tags
SmartThings Hub IoT
  • IoT
SmartThings Mobile Application for iOS iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
SmartThings Mobile Application for Android Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
SmartThings Rest APIs API Testing
  • API Testing
  • HTTP
SmartThings Graph Console Website Testing
  • Website Testing

Any domain/property of SmartThings not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Target Information


Researchers are encouraged to self provision accounts and/or use any devices they currently own for testing. When registering, for identification purposes, please use your email address. For more info regarding @bugcrowdninja email addresses, see here.

Target Features

  • Connect wirelessly with a wide range of smart devices and make them work together.
  • Monitor and control connected devices in your home using a single SmartThings app for iPhone or Android.
  • Receive alerts from connected devices when there’s activity in your home.
  • Automate connected devices in your home and set them to turn on or off when doors are opened, as people come and go, and much more.
  • Manage connected devices in your home with SmartThings Routines for Good Morning, Goodbye, Good Night, and more.
  • Control connected devices in your home with voice commands using SmartThings and Amazon Alexa or Google Home.
  • Requires an internet-connected Wi-Fi router with an available Ethernet port, SmartThings hub with connecting devices, plus the free SmartThings app for Android (4.1 or later) or iPhone (iOS 9.0 or later).

Mobile Downloads:

Web Interface:



  • https://*




  • All OWASP Top 10 issues pertaining to web and mobile applications
  • Primarily:
    • Non-Self XSS (Self-XSS is out of scope)
    • All Injection flaws
    • Authentication and authorization flaws
    • Remote exploitation of the hub including code execution bugs, overflows, command injection, gaining console/root access etc. (Weakness and security issues in ZigBee/wireless protocol itself is out-of-scope.)
    • Sensitive information leakage - oAuth tokens, PII, secrets
    • Remote or local bugs exploiting the tester’s own environment (Hub, Mobile App, Sensors and communication to/from these devices) that would allow exploitation of OTHER customer’s data or environment
    • All Supporting SmartThings REST APIs (* used by the mobile apps
    • Malicious File Uploads with an exploit PoC
    • Third-party libraries used by SmartThings


  • TLS related configuration flaws
  • Username / email enumeration
  • Issues related to password complexity
  • DoS/DDoS. Do not flood the cloud API servers with large payloads.
  • Clickjacking
  • oAuth expiration, scope
  • API Rate Limitations
  • Low or informational risk findings
  • Password policies (strength, lockout, expiration etc.)
  • Leakage of non-secret data like unique identifiers via GET requests is out of scope. Secret data like passwords, access tokens are in scope


  • All the vulnerabilities should be reported with a non-malicious exploit/Proof of Concept to determine the impact of the issue. While doing so, please limit the data exposure to a maximum of 5 accounts/queries as applicable.

Program rules

This program follows Bugcrowd’s standard disclosure terms.