COORDINATED VULNERABILITY DISCLOSURE
Peloton has always valued the contributions of the security research community to help us better protect our users and our systems. We are committed to responding, investigating, and resolving reports of legitimate vulnerabilities to protect our Members.
If you are a researcher and discover an actionable, high-impact vulnerability, we would like to know about it so that we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our users and our systems and to strengthen our relationship with the community.
Your participation in our disclosure is voluntary. By submitting a vulnerability report to us, you are indicating that you have reviewed and agreed to the guidance described on this page.
SUBMITTING A VULNERABILITY REPORT
Discovered a vulnerability? Use the form below to submit your finding.
AFTER THE SUBMISSION
We aim to acknowledge each submission within two business days. We'll keep you updated throughout the process of addressing the vulnerability and coordinate with you if you wish to publish any research after resolving the issue.
DOES PELOTON OFFER A BUG BOUNTY?
Peloton does not offer a bug bounty.
WHEN DOES PELOTON COMMUNICATE VULNERABILITIES TO THE PUBLIC?
As a general guideline, in the event our Members have to take an action to resolve a vulnerability (eg manually install or accept an update), we will communicate the vulnerability to Members in order to encourage resolution and help our Members understand why we’re asking them to take action.
In the event our Members do NOT have to take an action to resolve a vulnerability, we typically do not communicate with them about the vulnerability by default; we will work, however, with finders to determine whether a public disclosure is appropriate.