Responsible Disclosure Policy

Overview

This document provides an overview of the responsible disclosure program, also known as a ‘bug bounty’, at Particle.

As an organization with a long history of transparency, and working closely with our developer community, it should be no surprise that Particle extends the same philosophy to our relationship with security researchers acting in good faith. Particle welcomes the responsible disclosure of potential security vulnerabilities within our products and services, subject to the terms and conditions outlined in this policy, and in return, offers compensation based on our internal assessments of the severity of reported issues.

Scope

Products and services in scope:

  • Particle DeviceOS (latest version)
  • Particle Device Cloud, including:
    • Device Service
    • REST API
    • Webhook and integration system
    • Console
    • Login/SSO
    • Build
  • Any publicly exposed infrastructure elements that support Particle’s product or organizational operations, e.g. public S3 buckets.

Not in scope:

  • Hardware vulnerabilities that require physical device access to exploit.
  • Third party business applications leveraged by Particle:
    • This includes the Particle blog, community forums and others.
  • Staging servers, unless their vulnerabilities impact production environments.
  • Github repositories that are not part of the /particle-iot/ organization.

Please note that at this time, these following vulnerability types are not considered in-scope:

  • Configuration and best practices such as SPF/DMARC, CORS, security headers, or insecure SSL/TLS ciphers.
  • Denial of Service.
  • Information disclosure such as file path, unless it can lead to sensitive info.
  • Clickjacking that does not exist in our in-scope web pages.
  • Email and account policies such as reset method and password complexity.
  • Theoretical XSS or Self-XSS attacks without evidence of exploitability, such as input being reflected in response.
  • Best Practices Concerns (including Rate Limit configuration).
  • Spam Techniques.
  • Social Engineering of Particle employees.
  • Vulnerability reports from automated tools.

Rules of Engagement and Legal Matters

Particle will not engage in legal action against individuals or entities that submit vulnerability reports that cover in scope products and services (as defined above), through the approved channels (defined below).

Furthermore, Particle agrees not to pursue legal action against individuals or entities that adhere to the following rules of engagement when identifying and submitting vulnerabilities:

  • Testing and/or research should be non-disruptive (e.g. no denial of service), and should not harm Particle’s operations or customers. If you’re not sure if a particular test will cause disruption, err on the side of caution and do not perform it without consulting Particle’s security team first.
  • Testing and/or research should be on in scope systems only. If you’re not sure whether a system is in scope, please ask.
  • Testing and/or research should not deliberately seek to access information belonging to Particle customers. Instead, a researcher should leverage their own accounts within the Particle environment.
  • Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.
  • Security researchers are responsible for ensuring they adhere to local laws and legislation at all times.

All security researchers wishing to be considered for compensation when submitting a vulnerability should ensure that their research, or testing, is conducted in accordance with the above rules of engagement.

How to Report a Vulnerability to Particle

Vulnerability reports should be submitted to the Particle security team via email, to the address security@particle.io.

Particle follows the security.txt (https://securitytxt.org/) standard for relaying the most up to date information regarding our responsible disclosure program and preferred methods of communication. Please review our security.txt file at the following URL to ensure you have the latest information before making a vulnerability submission: https://www.particle.io/.well-known/security.txt.

The security.txt file contains a link to the Particle Security team’s public PGP key, which can optionally be used to encrypt incoming reports. This may be advisable if the report submission includes sensitive data.

Preference, Prioritization and Acceptance Criteria

In order to obtain the most value from this program, for both Particle and the participating security researcher, we strongly advise that, and will give priority to disclosures which include:

  • Reports that are well written, and submitted in English where possible.
  • Reports that include proof of concept code that permit Particle to better triage the issue.
  • Reports that include details of how the vulnerability was identified, a suggested impact rating, and any potential remediations you might suggest.
  • Reports that are more than just output from automated testing tools, and scans.
  • Reports that include any intentions or timelines for public disclosure.

If you follow these guidelines, you can expect the following from Particle:

  • A timely response to your initial disclosure.
  • Open dialog which includes planned remediation timelines where a remediation is necessary.
  • Notification when final remediation has occurred.
  • Compensation where applicable (see below).

Compensation

Particle compensates security researchers based on the following factors:

  • The severity of the issue identified (we leverage a formula linked to the CVSS).
  • The quality of the reporting.
  • Particle’s internal risk assessment of the issue.
  • Whether or not the issue has already been disclosed to Particle prior to your submission (we only pay out once per issue).

Particle will work with the researcher to facilitate payment. Payment amounts are entirely at Particle’s discretion — which is something you agree to when submitting bugs as part of this program.

After submission, if your issue is accepted, you will hear from us within 72 hours. If you do not hear from us within 72 hours, it means your issue has not been accepted this time.

To prove that you have read and understood this policy fully, include the word 'SPARKHEX' in the subject line of your submission.