menu
 

DO NOT

  • Do not attempt to gain access, disrupt or alter any Cloud services, servers or infrastructure within the Cloud.
  • If you believe you have found a vector to exploit devices globally do not attempt to exploit others' devices without their knowledge or permission and notify Belkin International immediately.
  • Do not publicly disclose any attack vectors, potential vulnerabilities/exploits or other security concerns until we have worked together to release a fix publicly.

Responsible Disclosure

If you follow these guidelines when reporting a security issue to us, we will do our best to:
  • Not pursue legal actions
  • Not report you to the federal or other governmental authorities
  • Work with you to understand and reproduce the issue(s) as quickly as possible (confirming the report within 48 hours of submission, fixing issues may vary due to the complexity of the issue, depending on whether it relates to App store update releases, Firmware updates or Cloud update(s).
  • Recognize you and your findings on our Security Disclosure List
    • Be the first to find the issue
    • A change set or portion of code is committed to fix the issue

In Scope

  • Device Remote Code Execution
  • MiTM (Man in The Middle vectors)
  • Circumvention of our framework's privacy and permission models
  • Persistent Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • Broken Authentication

Not In Scope

Any services or systems that are hosted by third party providers or Belkin International owned property, services be it physical or intellectual. This includes and is may not only limited to:
  • WeMo Cloud
  • Linksys Smart Wi-Fi Cloud
  • Netcam services such as iSecurity+, Seedonk Cloud servers, Services and Intellectual Property
  • IFTTT (If This Then That Cloud Services)
All items below are off limits in your testing:
  • Belkin International office facilities (e.g. open doors, tailgating, vandalism)
  • Belkin International websites and their sub-domains (Belkin.com, Linksys.com, wemothat.com, etc.)
  • Any servers or services that Belkin or Linksys products or any of its partners may redirect or forward to.
  • Belkin IT maintained databases, such as employee lists, customer lists, CA support DB, product registration database, marketing databases, etc.
  • Social Engineering (e.g. phishing, vishing)
  • Non Security related defects such as Functional, UI and UX bugs
  • Denial of Service (DoS/DDoS) vulnerabilities

How To Submit

To report a potential security vulnerability or concern, please contact the appropriate security resource via email:

• For Belkin and WeMo branded products: security@belkin.com

• For Linksys branded products: security@linksys.com

Please use our PGP key when submitting potential security vulnerabilities.

Belkin and WeMo PGP key »
Linksys PGP key »

Please include the following details in your email:

• Subject line must contain a brief high-level description of the issue

• The body of the email must contain:

  • Belkin/Linksys product name and model number (generally located on the bottom or back of the product)
  • Application Version
  • Firmware Version
  • Description of the concern or vulnerability (if you have a script or PoC it helps in turnaround time)
  • Any information to help our team reproduce the issue
For WeMo and Belkin branded products we recommend using our public PGP key located here to encrypt the email content that can be submitted to security@belkin.com.
For Linksys branded products we recommend using our public PGP key located here to encrypt the email content that can be submitted to security@linksys.com.

BELKIN RESPONSE TIME

After receiving your email, our Application Security team will verify and analyze the issues that you have reported. Please give us up to 2 business days for an initial response.

Thanks!

On behalf of over a billion users, we would like to thank the following people for making a responsible disclosure to us:


Thanks to the Most Recent Researchers
  • Ben Sadeghipour (WeMo)
  • Chris Ducharme at ISEC Partners (Belkin)
  • Chrisopher Lowson (Linksys)
  • Dennis Antunes (WeMo)
  • Jay K. Patel (Belkin)
  • Joe Rozner (WeMo)
  • John Stauffacher (WeMo)
  • Kaspersky Lab (WeMo)
  • Nithish M. Varghese (Belkin)
  • Mansoor Gilal (Belkin)
  • Mohammed Fayez (Linksys)
  • Morgan Jones (Linksys)
  • Sajibe Kanti Agarwal (Belkin)
  • Shivam Kumar Agarwal (Belkin)
  • Tabish Ali (Belkin)
  • Tudor Enache (Linksys)
A special thanks to everyone else who submited security issues

2014

  • Craig Young (Belkin)
  • Elvis Collado of HP DVLabs (Belkin)
  • Ivan Novikov at Wallarm (WeMo)
  • Maxim Rupp (Linksys)
  • Ossi Nykänen (Belkin)
  • Zero Day Initiative (Belkin)