Responsible Disclosure of Security Vulnerabilities
We're working with the security community to make iFixit safe for everyone.
Reporting security issues
If you've discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.
We'll work with you to make sure that we understand the scope of the issue, and that we fully address your concern. If you believe you have discovered a vulnerability or have a security incident to report, please email security@ifixit.com. Please include a detailed summary of the issue you discovered. Be sure to include an email address where we can reach you in case we need more information.
Code of Conduct
Please act in good faith towards our users' privacy and data during your disclosure. When testing for vulnerabilities, please do not insert test code into popular public guides or threads. These guides are used by thousands of people daily, and disrupting their experience by testing for vulnerabilities is harmful.
Please, always make a new guide or ask a new question instead! If those actions are not possible, please delete all guides, comments, and posts when you have completed your testing and reporting.
We won't take legal or administrative action against you or your account if you act accordingly: White hat researchers are always appreciated.
Bug Bounty
We're happy to provide a reward to users who report valid security vulnerabilities. To be eligible for credit and a reward, you must:
- Be the first person to responsibly disclose the bug.
- Report a bug that could compromise our users' private data, circumvent the system's protections, or enable access to a system within our infrastructure.
Please do report:
- Persistent Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF/XSRF)
- Broken Authentication
- Circumvention of our framework's privacy and permission models
- Remote Code Execution
Please do not report:
- Outdated versions of Wordpress with no known vulnerabilities
- Username enumeration
- Self-XSS
- Missing DNS SPF records
- Security problems with subdomains such as createsend.ifixit.com that are operated by third party services
Our security team will assess each bug to determine if it qualifies. We do our best to respond to your reports in a timely manner. We aim to respond within 3 business days, however some reports take longer than others to investigate. We reply only during business hours (9AM-5PM PST, weekdays, excluding holidays). Repeated emails will NOT result in a quicker response, and may bump your report to the end of the queue.
Thanks!
Thank you for your help with keeping the iFixit community safe. We really appreciate it.
Here are people who have responsibly disclosed vulnerabilities in the past:
2023
2022
- Nicolas Armua
- Sandip Maity
- Shreyas Ghevariya
- Mark Rosenbaum
- Karim Adala
- Aniket Kamboj
- Jefferson Gonzales (Gonz)
- Sanjay Venkatesan
2021
2020
- Mouaz Abdelkader
- Surya Prakash Akula
- Naveen Kumar
- Marek Jílek
2019
2018
2017
- Amine Hm
- Krishna Manoj Vandavasi
- Osama Ansari
- Harold Zang
- Atik Rahman
- Mohammed Israil
- Abdulwahab Khan
- Gamiel Xavier V. Manbiotan
- Ravi yadav
- Piyush kumar
- Abdul Haq Khokhar
- Abdul Rehman Qureshi
- Mahad Ahmed
- Himanshu Rahi
- Shahar Albeck
- Akshay Pandurangi
- Sumit Sahoo
- Kaushal Parikh
- Rehan Qureshi
- Abdullah
- Raja Uzair Abdullah
- Mohammad Nurnobi
- resis10ce
- Jaikishan Tulswani
- Ashish Kunwar
- Guhan Raja.L
- Sundar Lal Baror
- Jineesh AK
- Youssef A. Mohamed
- Steven Hampton
- Parth Barvaliya
2016
- Suhas Sunil Gaikwad
- Milan A Solanki
- Yogesh Anil Tantak
- Daniel Bakker
- Maulik Shah
- Kevin Chung
- Eliran Itzhak
- Noman Shaikh
- Swapneil Kumar Dash
2015
- Jineesh AK
- Sai Shanthan Palvai
- Muhammad Hassaan Khan
- David Dworken
- Swaroop Yermalkar
- Kacper Szurek
- Callum Carney
- Muhammad Osama
- Muhammad Zeeshan
- Hadji Samir
2014
- Nitin Goplani
- Mohammed Abdulqader Al-saggaf
- Mohamed Abdelbaset Elnoby
- Mazen Gamal Mesbah
- Abhishek Dashora
- Kiran Karnad
- Eslam Medhat
- Karthic Kumar
- Jitendra Jaiswal
- Abdul Wasay
- Anand Prakash
- Rafael Pablos
- Robin Puri
- Tom Caserta
- Jerold Camacho
- Justine Edic
- Manish Bhattacharya
- Muhammad Talha Khan
- Atulkumar Hariba Shedage - Suruji.com
- Cedric Van Bockhaven
- Kamil Sevi
- Andris Atteka
2013
- Clifford Trigo
- Osanda Malith Jayathissa
- Boris Miskovic
- Hood3dRob1n
- Rodolfo Godalle, Jr.
- Muhammad Shahmeer
- Ishan Anand
- Nicholas Lemonias - Advanced Information Security Corp
- CyberSecurityMV
- Ali Hasan Ghauri
- Ehraz Ahmed
- Enguerran Gillier
- Denis Kolegov
- Siddhesh Gawde
- Maheshkumar Rajubhai Darji
- Jordan Milne
- Sumit Shinde
- Andrei Miu - @bibz0r
- Yaroslav Olejnik - O.J.A.
- Sachin Kediyal
- Narendra Bhati - Web Security Geeks
- Jon - Bitquark
- Riaz Ebrahim
- Tejash Patel - @tejash1991
- Sasi Levi - @sasi2103
- Mahadev Subedi
- Sebastian Neef & Tim Schäfers - @internetwache
- Abhinav Karnawat - \/ w4rri0r \/
- Sabari Selvan - @EHackerNews
- Malte Batram - @_batram
- Priyal Viroja - aN0_pr!+Z
- Krutarth Shukla
- Himanshu Kumar Das
- Mariano Di Martino
- Ajay Singh Negi
- Piyush Malik - @ThePiyushMalik
- Ritesh Arunkumar Sarvaiya - defencely
- Kyle Swidrovich
- Yuji Kosuga
- Shashank Kumar
- Atulkumar Hariba Shedage - defencely
- Frans Rosén - @detectify
- Emanuel Bronshtein - @e3amn2l
- Jaume Llopis Pujal
- Kamil Sevi - @kamilsevi
- Simran Jeet Singh
- Tushar Kumbhare - Anti Hacking Anticipation Society
- Subho Halder - @sunnyrockzzs & Aditya Gupta - @adi1391
2012
- Tushar Kumbhare - Anti Hacking Anticipation Society & Thamatam Deepak - Mr.47
- Jaume Llopis Pujal
- Jacob Soo Lead Re
- Yuji Kosuga
- Adam Ziaja
- Alok. J. Sudhakar
- Adino Namchu
- Chiragh Dewan
- Rafay Baloch - http://rafayhackingarticles.net
- Himanshu Sharma - DCE, Gurgaon
- Krutarth Shukla
- Harsha Vardhan Boppana - Login Security Solutions
- Atulkumar Hariba Shedage - defencely
- Rakan Alotaibi - @hxteam
- Kamil Sevi - @kamilsevi
- Nikhil Kulkarni
- M.R.Vignesh Kumar
- Prajal Kulkarni
- Ajay Singh Negi
- Himanshu Kumar Das
- Elvin Gentiles
- Emanuel Bronshtein - @e3amn2l
- Maxim Rupp
- Avram Marius Gabriel
2011
- Matt Swann - @MSwannMSFT