Vulnerability Disclosure Program
Sphero, an industry leader in connected play, strongly believes that it is our responsibility to help protect our users' safety and personal information. As part of our dedication to this responsibility, we invite anyone to submit discovered vulnerabilities in our products to our responsible disclosure program.
Eligibility and Responsible Disclosure
We are very grateful to all vulnerability submissions that help our security initiative. Only submissions that meet the following guidelines will be considered for a bounty.
- You must be willing and able to supply us with a W-9/W-8BEN and/or other necessary paperwork to be eligible for a cash bounty.
- This must be the first report of this vulnerability.
- We must not already know about the vulnerability, the vulnerability must not be intentional, and we reserve the right to declare any vulnerability insignificant, in our discretion.
- The vulnerability must meet our qualification guidelines and be in the scope of the program.
- You must follow our Code of Conduct.
- We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran, Syria, or on a denied parties or sanctions list).
We take the security of all of our products very seriously and invite you to report any discovered vulnerability. However, at this time we can only offer bounties for the products, applications, and APIs below due to capacity for handling reports.
- BB-8™ App-Enabled Droid™ (Original and Battle-Worn)
- Star Wars™ Force Band™
- Ultimate Lightning McQueen™
- Spider-Man™ Interactive App-Enabled Super Hero
- BB-8™ App Enabled Droid™ (iOS/Android)
- Star Wars™ Force Band™ by Sphero® (iOS/Android)
- Sphero Edu App (iOS/Android)
- Ultimate Lightning McQueen™ by Sphero® (iOS/Android/)
- Spider-Man™ Interactive App-Enabled Super Hero (iOS/Android)
APIs and Websites
- Main website (sphero.com)
- Sphero Edu (edu.sphero.com)
- Authorizer (accounts.sphero.com)
- Content Management System (content.platform.sphero.com)
- Data Warehouse (warehouse.platform.sphero.com)
Reports for any other product may be considered for a bounty based on the severity of the bug found.
Code of Conduct
Anyone that breaks the code of conduct below will not be eligible for a bounty.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
- Do not modify or access data that does not belong to you.
- When possible, use test accounts and devices.
- No vulnerability should be exposed publicly before it has been through the disclosure process and fixed.
- No information found through a vulnerability should be leaked or publicly disclosed.
- Vulnerability discovery should not impact other users. For example, this includes vulnerabilities used to steal personal information, DDoS attacks, defacing a website, or publicly exploited XSS.
- You must follow all laws related to your participation in this program.
- Please conduct all communications regarding disclosure in a professional manner.
- You may not publicly disclose any information regarding your findings unless given consent by the Sphero security team.
- Only sites and apps ran by Sphero are eligible and should be tested. There are sites hosted on subdomains of sphero.com that are run by third parties which are not eligible.
- Do not use automated scanners to find vulnerabilities, we reserve the right to ban users by IP address for this kind of behavior.
- No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
How to report
In order to receive a bounty, qualifying vulnerabilities must be submitted through firstname.lastname@example.org. Please send a new email for each new disclosure.
Please ensure that your report contains all of the following:
- The type of vulnerability;
- What the impact of this vulnerability is, including what (if any) information could be leaked or what functionality could be altered;
- Reproduction steps; and
- Any suggested fixes.
Any vulnerabilities that put our users' personal information at risk or lead to unwanted behavior of our products is likely to be within the scope of this program. We do require that exploitation of a vulnerability be reasonably possible and a proof of concept is highly preferred.
Disclosures that simply suggest security best practices without any details on how the issue can be exploited will not be eligible for bounty.
Using the Google Bug Hunters University guide to think through an attack scenario may be helpful in determining the impact of your vulnerability.
Any vulnerabilities that require physical access to a device to exploit (unless it involves malicious code installed on the device that can be exploited later) will not be eligible for a bounty.
Depending on impact, not all issues may be eligible for a monetary reward. All submissions are reviewed on a case by case basis.
Service Level Agreements
We currently expect to be able to get back to you within 10 business days to validate your submission. If eligible, you will receive a bounty within 2 weeks of receiving the required tax and payment information. Time to resolve vulnerabilities will vary based on the severity and complexity of the issue involved.
Many factors go into determining bounty amount including:
- Bugcrowd’s Vulnerability Rating Taxonomy is used to determine initial priority.
- CVSS scores and internal risk assessment can potentially raise or lower the initial priority rating.
- We may deduct or deny bounty amount for unprofessional behavior.
- Professionalism and good-will reports may earn additional bounty as well.
- We are unable to ship product to certain locations due to various reasons. These locations include (but are not limited to) Pakistan, most of South America, and most of Africa.
The below scale will be used as a rough guideline for determining bounty amount, we reserve the right to adjust amounts based on evaluation of reports.
$0+ (or Product)
The Fine Print
You are responsible for any applicable taxes or fees associated with any bounty you receive.
Program terms may change at any time, but will not have retroactive effect.