Responsible Disclosure Policy
Rules of Engagement and Legal Matters
Particle will not engage in legal action against individuals or entities that submit vulnerability reports that cover in scope products and services (as defined above), through the approved channels (defined below).
Furthermore, Particle agrees not to pursue legal action against individuals or entities that adhere to the following rules of engagement when identifying and submitting vulnerabilities:
- Testing and/or research should be non-disruptive (e.g. no denial of service), and should not harm Particle’s operations or customers. If you’re not sure if a particular test will cause disruption, err on the side of caution and do not perform it without consulting Particle’s security team first.
- Testing and/or research should be on in scope systems only. If you’re not sure whether a system is in scope, please ask.
- Testing and/or research should not deliberately seek to access information belonging to Particle customers. Instead, a researcher should leverage their own accounts within the Particle environment.
- Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.
- Security researchers are responsible for ensuring they adhere to local laws and legislation at all times.
All security researchers wishing to be considered for compensation when submitting a vulnerability should ensure that their research, or testing, is conducted in accordance with the above rules of engagement.
How to Report a Vulnerability to Particle
Vulnerability reports should be submitted to the Particle security team via email, to the address firstname.lastname@example.org.
Particle follows the security.txt (https://securitytxt.org/) standard for relaying the most up to date information regarding our responsible disclosure program and preferred methods of communication. Please review our security.txt file at the following URL to ensure you have the latest information before making a vulnerability submission: https://www.particle.io/.well-known/security.txt.
The security.txt file contains a link to the Particle Security team’s public PGP key, which can optionally be used to encrypt incoming reports. This may be advisable if the report submission includes sensitive data.
Preference, Prioritization and Acceptance Criteria
In order to obtain the most value from this program, for both Particle and the participating security researcher, we strongly advise that, and will give priority to disclosures which include:
- Reports that are well written, and submitted in English where possible.
- Reports that include proof of concept code that permit Particle to better triage the issue.
- Reports that include details of how the vulnerability was identified, a suggested impact rating, and any potential remediations you might suggest.
- Reports that are more than just output from automated testing tools, and scans.
- Reports that include any intentions or timelines for public disclosure.
If you follow these guidelines, you can expect the following from Particle:
- A timely response to your initial disclosure.
- Open dialog which includes planned remediation timelines where a remediation is necessary.
- Notification when final remediation has occurred.
- Compensation where applicable (see below).
Particle compensates security researchers based on the following factors:
- The severity of the issue identified (we leverage a formula linked to the CVSS).
- The quality of the reporting.
- Particle’s internal risk assessment of the issue.
- Whether or not the issue has already been disclosed to Particle prior to your submission (we only pay out once per issue).
Particle will work with the researcher to facilitate payment. Payment amounts are entirely at Particle’s discretion — which is something you agree to when submitting bugs as part of this program.