COORDINATED VULNERABILITY DISCLOSURE
Peloton has always valued the contributions of the security research community to help us better protect our users and our systems. We are committed to responding, investigating, and resolving reports of legitimate vulnerabilities to protect our Members.
If you are a researcher and discover an actionable, high-impact vulnerability, we would like to know about it so that we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our users and our systems and to strengthen our relationship with the community.
Your participation in our disclosure is voluntary. By submitting a report or otherwise disclosing a vulnerability to us, you are indicating that you have reviewed and agreed to the guidance described on this page.
Email us at firstname.lastname@example.org.
High quality submissions provide the clearest path to a solution by allowing us to understand and validate the issue and relay vulnerabilities to internal teams for resolution with little to no clarifying questions due to the completeness of the information provided in the original submission. (Before you submit, please review the “Out of Scope” section of this page to ensure that the issue you’re reporting is in-scope for this program.)
Please provide the following in your email to help us in our investigation:
- A description of the vulnerability and what it could allow an attacker to do if exploited
- If you believe the issue has been exploited already, please tell us, where possible:
- How did you detect this?
- When did the exploitation occur
- What data was exposed
- What do you believe the bad actor may have done with the exposed data
- Whether you believe the exploitation is still happening
- Detailed steps to reproduce the issue, including screenshots and/or video
- The system or platform (including version number) where you found the issue
- If relevant, please also provide the IP address or the URL of the affected system, network requests, and/or sample code
- Your name and contact information in order for us to acknowledge your submission
- If you are sending sensitive information, you can encrypt your communications to Peloton, or verify signed messages you receive from Peloton using the PGP key below to prevent this critical information from falling into the wrong hands:
We expect that you participate in this program in good faith, as described in the following ground rules. This protects both Peloton’s interests and yours!
- Only interact with accounts you own or for which you have explicit permission from the account holder.
- Do not access user or employee personal information or the confidential information of Peloton.
- If you accidentally gain access to this information: (a) stop testing immediately, and (b) immediately submit the vulnerability to us. Do not save, copy, store, transfer, disclose, or otherwise retain the information.
Do no harm.
- Don’t leave systems or users worse off than when you started testing.
- Do not test in a way that could degrade our services or our users’ experiences, privacy or security, or that may damage or destroy information.
- Do not engage in attacks involving physical security, social engineering, denial of service, spam or third party applications.
- Do not disclose vulnerability findings to the public or any third-party until we have notified you in writing that it has been resolved. See I plan to disclose this issue for more details.
- Do not disclose to the public or any third-party any non-public information we provide to you or that you learn about us, our employees or our users in connection with this program, without our prior written consent.
Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying our data, member data, employee data or third-party data.
We aim to interact with all finders with respect; we ask that you do the same when interacting with us.
- If you have followed the guidance on this page, we will not take or recommend any legal action against you regarding your report.
- Unless we are legally compelled, we will not pass your personal contact information to third-parties without your permission.
If you have a question about whether a certain action is authorized, please reach out to email@example.com for clarification before taking action.
We aim to acknowledge each submission by email within 2 business days, and then confirm our ability to reproduce the issue (or not); we may also reach out if we have questions. We will keep you informed of the progress towards remediating the vulnerability and we endeavor to partner with you if you decide to publish your research after we have taken action to protect our customers . If you ever have questions or other feedback during this process, please do not hesitate to reach back out to us!
If, after a fix is confirmed in place, you plan to disclose the issue, we would appreciate it if you could share the following so we can coordinate our communication around the issue and help avoid potential customer confusion -
- How do you plan to disclose the issue? (eg. blog, tweet, pre-brief media, etc)
- What do you intend to disclose? (please send over a draft - we’re happy to review!)
- When do you plan to disclose the issue?
- How do you prefer attribution from us?
We use the CVSS scoring system to determine issue severity and typically leverage STRIDE definitions to communicate impact. With this in mind, our goal is to address Critical and High Severity issues as soon as possible. Moderate and Low Severity issues may be addressed opportunistically or in future planned releases by our engineering teams.
Peloton does not offer a bug bounty. If you find vulnerabilities in Peloton products or systems, we would be glad to receive and drive your report as recommended by the ISO Coordinated Vulnerability Disclosure Standard. We’re always grateful for interest and support from the community to help us keep our members and systems safe and secure, as displayed on our Security Researcher Appreciation page. Together we go far!
As a general guideline, in the event our Members have to take an action to resolve a vulnerability (eg manually install or accept an update), we will communicate the vulnerability to Members in order to encourage resolution and help our Members understand why we’re asking them to take action.
In the event our Members do NOT have to take an action to resolve a vulnerability, we typically do not communicate with them about the vulnerability by default; we will work, however, with finders to determine whether a public disclosure is appropriate.
- Findings which aren’t security-related - software bugs without security impact are not in scope for this program
- Vulnerabilities that rely on social engineering
- Reports based solely on outputs from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability
- Issues without clearly identified security impact (such as clickjacking on a static website), missing security headers, or descriptive error messages
- Missing best practices, information disclosures, use of a known-vulnerable libraries or descriptive / verbose / unique error pages (without proof of exploitability)
- Denial of service attacks or issues related to rate limiting
- Mail Server Domain Misconfiguration (including email spoofing, missing DMARC, SPF/DKIM, etc.)
- Non-production environments being accessible (without proof of exploitability)