Points per vulnerability
Managed by Bugcrowd

SmartThings lets you easily monitor, control, and secure your home from anywhere in the world.

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

This program only awards points for VRT based submissions.

Targets

In scope

Target name	Type
`SmartThings Hub`	IoT
`SmartThings Mobile Application for iOS`	iOS
`SmartThings Mobile Application for Android`	Android
`SmartThings Rest APIs`	API
`SmartThings Graph Console`	Website

Any domain/property of SmartThings not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Target Information

Access

Researchers are encouraged to self provision accounts and/or use any devices they currently own for testing. When registering, for identification purposes, please use your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.

Target Features

Connect wirelessly with a wide range of smart devices and make them work together.
Monitor and control connected devices in your home using a single SmartThings app for iPhone or Android.
Receive alerts from connected devices when there’s activity in your home.
Automate connected devices in your home and set them to turn on or off when doors are opened, as people come and go, and much more.
Manage connected devices in your home with SmartThings Routines for Good Morning, Goodbye, Good Night, and more.
Control connected devices in your home with voice commands using SmartThings and Amazon Alexa or Google Home.
Requires an internet-connected Wi-Fi router with an available Ethernet port, SmartThings hub with connecting devices, plus the free SmartThings app for Android (4.1 or later) or iPhone (iOS 9.0 or later).

Mobile Downloads:

Android: Here
iOS: Here

Web Interface:

https://graph.api.smartthings.com/

REST APIs:

https://*.api.smartthings.com/
https://account.smartthings.com/

Documentation:

https://smartthings.developer.samsung.com/

In-Scope

All OWASP Top 10 issues pertaining to web and mobile applications
Primarily:
- Non-Self XSS (Self-XSS is out of scope)
- All Injection flaws
- Authentication and authorization flaws
- Remote exploitation of the hub including code execution bugs, overflows, command injection, gaining console/root access etc. (Weakness and security issues in ZigBee/wireless protocol itself is out-of-scope.)
- Sensitive information leakage - oAuth tokens, PII, secrets
- Remote or local bugs exploiting the tester’s own environment (Hub, Mobile App, Sensors and communication to/from these devices) that would allow exploitation of OTHER customer’s data or environment
- All Supporting SmartThings REST APIs (*.api.smartthings.com) used by the mobile apps
- Malicious File Uploads with an exploit PoC
- Third-party libraries used by SmartThings

Out-of-Scope

TLS related configuration flaws
Username / email enumeration
Issues related to password complexity
DoS/DDoS. Do not flood the cloud API servers with large payloads.
Clickjacking
oAuth expiration, scope
API Rate Limitations
Low or informational risk findings
Password policies (strength, lockout, expiration etc.)
Leakage of non-secret data like unique identifiers via GET requests is out of scope. Secret data like passwords, access tokens are in scope

DISCLAIMER

All the vulnerabilities should be reported with a non-malicious exploit/Proof of Concept to determine the impact of the issue. While doing so, please limit the data exposure to a maximum of 5 accounts/queries as applicable.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

SmartThings Vulnerability Disclosure

Program stats

Latest hall of famers

Recently joined this program

Disclosure