Responsible Disclosure of Security Vulnerabilities

Reporting security issues ¶ 

We want to keep iFixit safe for everyone. If you've discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.

We'll work with you to make sure that we understand the scope of the issue, and that we fully address your concern. If you believe you have discovered a vulnerability or have a security incident to report, please email security@ifixit.com. Please include a detailed summary of the issue you discovered. Be sure to include an email address where we can reach you in case we need more information.

Please act in good faith towards our users' privacy and data during your disclosure. When testing for vulnerabilities, please do not insert test code into popular public guides - these guides are used by thousands of people daily, and disrupting their experience by testing for vulnerabilities is harmful (Please, always make a new guide instead!). We won't take legal or administrative against you or your account if you act accordingly: White hat researchers are always appreciated.

We're happy to provide a reward to users who report valid security vulnerabilities. To be eligible for a reward, you must:

  • Be the first person to responsibly disclose the bug.
  • Report a bug that could compromise our users' private data, circumvent the system's protections, or enable access to a system within our infrastructure. Examples include:
    • Persistent Cross-Site Scripting (XSS)
    • Cross-Site Request Forgery (CSRF/XSRF)
    • Broken Authentication
    • Circumvention of our framework's privacy and permission models
    • Remote Code Execution

Our security team will assess each bug to determine if it qualifies.

Thanks! ¶ 

Thank you for your help with keeping the iFixit community safe. We really appreciate it.

Here are people who have responsibly disclosed vulnerabilities in the past:

2013 ¶ 

2012 ¶