- Belkin routers, range extenders, keyboards, and other networked devices
- Linksys routers, range extenders, Wi-Fi dongles, switches, and other networked devices
- WeMo home automation switches, light bulbs, cameras, and other networked devices
Not In Scope
Any services or systems that are hosted by third party providers or Belkin International owned property, services be it physical or intellectual. This includes and is may not only limited to:
- Belkin.com, Linksys.com, and WeMo.com web endpoints
- WeMo Cloud
- Linksys Smart Wi-Fi web and cloud endpoints
- Social Engineering and Phishing attacks against Belkin employees, contractors, customers, or support
How To Submit
PLEASE READ THE ENTIRE PAGE PRIOR TO SUBMITTING A VULNERABILITY.
If you need help finding your Wi-Fi password or believe your router has been hacked, please email our support team:
When contacting Belkin’s security team, we ask that security researchers encrypt their emails using our PGP key:
Please include the following details in your email:
• Subject line must contain a brief high-level description of the issue
• The body of the email must contain:
- Belkin/Linksys product name, model number, and hardware version (if applicable)
- Firmware/Application version
- A description of the vulnerability, reproduction steps, impact, and remediation
- Proofs of Concept are appreciated, but not required
- PDF or Word Processor documents are not accepted
After receiving your vulnerability report, the Belkin security team will review your report and commission a fix to our remediation team. After Belkin publishes the fix for the affected SKUs listed in your report, Belkin will give the green light to disclose the vulnerability.
We ask that all coordinated vulnerability disclosures contain the following information:
- A link to the firmware download page containing the fixed firmware
- A sentence or two in either the title of the disclosure or in the first few paragraphs confirming that a fix for the vulnerability is available
- Accurate representation of the attack details per the CVSSv3 guidelines (LAN-only attacks are “Local” not “Remote”, etc.)
To encourage a healthy working relationship with the security research community, Belkin promises not to engage in legal action against individuals who:
- Report vulnerabilities while following the guidelines set by Belkin's Vulnerability Disclosure Program.
- Engage in vulnerability testing within the scope listed above.
- Perform security tests on their own Belkin products.
- Perform security tests on Belkin products with the consent of the owner of the product.