Target Policy

Structured Scope

• Asset Identifier

  Asset Type

  Max Severity

• store.logitech.com.cn

  ---

  store.logitech.com.cn is a hosted 3rd party service, so we will forward any reports onto the vendor.

  URL

  critical
• *.logitechg.com

  URL

  critical
• *.logitechmusic.com

  ---

  This domain is for a legacy product. We will accept reports, but resolving times may be long for lower priority issues as there are limited customer's still using it.

  WILDCARD

  critical
• www.logitech.com/my-account

  ---

  Only the sections of www.logitech.com that deal with Logitech Accounts. This is typically anything accessed once you click My-Account and login, or create an account.

  URL

  critical
• *.challonge.com

  URL

  medium
• *.ultimateears.com

  URL

  critical
• *.astrogaming.com

  URL

  critical
• *.jaybirdsport.com

  URL

  critical
• support.logi.com

  URL

  critical
• Logitech Sync

  ---

  This is Sync Desktop Application by Logitech. The latest version is eligible.

  DOWNLOADABLE_EXECUTABLES

  critical
• com.streamlabs.slobsrc

  GOOGLE_PLAY_APP_ID

  critical
• *.teambeyond.net

  URL

  none
• *.logitech.com

  ---

  Other logitech websites not explicitly listed

  WILDCARD

  critical
• id.logi.com

  URL

  critical
• www.logitech.com

  URL

  critical
• logilife.logitech.com

  URL

  critical
• www.logicool.co.jp

  URL

  critical
• gaming.logicool.co.jp

  URL

  critical
• www.logitech.com.cn

  ---

  Ineligible for bounty:
  store.logitech.com.cn is a hosted 3rd party service, so we will forward any reports onto the vendor.

  URL

  critical
• *.streamlabs.com

  WILDCARD

  critical
• *.cognitiveperformer.com

  WILDCARD

  medium
• feedback.logitech.com

  URL

  critical
• *.myharmony.com

  ---

  This domain is for a legacy product. We will accept reports, but resolving times may be long for lower priority issues as there are limited customer's still using it.

  WILDCARD

  critical
• Circle Cameras

  ---

  Please note exploits resulting from physical hacks to the device itself are out of scope, and any received reports will be marked N/A in accordance with HackerOne policy. Please refrain from submitting reports for physical hacks to avoid losing Reputation.

  At this time we are unable to provide Circle devices for testing purposes. If you already own a Circle , hack away to your heart's content, otherwise watch this space for updates!

  Eligible models include all Circle cameras (Circle View Doorbell, Circle View Camera, Circle 2, Circle) running the latest firmware.
  

  HARDWARE

  critical
• *vc.logitech.com

  WILDCARD

  critical
• Streamlabs Desktop Application PC/MAC

  ---

  The latest version is eligible

  DOWNLOADABLE_EXECUTABLES

  critical
• outagehistory.logitech.com

  URL

  critical
• *.mysqueezebox.com

  WILDCARD

  critical
• external.logitech.com

  ---

  Also includes: vcp-external.logitech.com and external-qa.logitech.com

  URL

  critical
• com.logitech.ueboom

  ---

  App: BOOM & MEGABOOM by Ultimate Ears

  GOOGLE_PLAY_APP_ID

  critical
• Logitech Options PC/MAC

  ---

  Logitech Options software lets you customize your Logitech device.
  The latest version is eligible (PC & MAC).

  DOWNLOADABLE_EXECUTABLES

  high
• http://*vc.logitech.com

  WILDCARD

  critical
• http://*.streamlabs.com

  WILDCARD

  critical
• http://*.getmeetio.com

  ---

  Are in the scope:
  admin.getmeetio.com
  storage.getmeetio.com
  stats-api.getmeetio.com
  api.getmeetio.com
  look.getmeetio.com
  parse.getmeetio.com

  WILDCARD

  critical
• buy.logitech.com

  ---

  The service hosted on buy.logitech.com is provided by a 3rd party called Digital River. We will forward reports to them.

  URL

  critical
• www.ultimateears.com

  URL

  critical
• www.astrogaming.com

  URL

  critical
• 1476615877

  ---

  This app is Streamlabs Deck by Streamlabs

  APPLE_STORE_APP_ID

  critical
• www.logitechg.com

  URL

  critical
• Logi Tune PC/MAC

  ---

  Logi Tune Desktop application for PC and MAC reports are eligible as long as they are on the latest version.

  DOWNLOADABLE_EXECUTABLES

  high
• Presentation Remotes

  ---

  In-scope devices: R500 Laser Presentation Remote; Spotlight Presentation Remote; R400 Laser Presentation Remote; R700 Laser Presentation Remote

  HARDWARE

  high
• *.melonapp.com

  WILDCARD

  critical
• community.logitech.com

  URL

  critical
• www.logitechstore.com.br

  URL

  critical
• www.logitech-partner.com

  URL

  critical
• maintenance.logitech.com

  URL

  critical
• outage.logitech.com

  URL

  critical
• *.logitech-channel-marketing.com

  WILDCARD

  critical
• alert.logitech.com

  URL

  high
• jira.logitech.com

  ---

  Also includes jira.logitech.io

  URL

  critical
• *.saitekforum.com

  WILDCARD

  none
• com.logitech.logue

  ---

  This App is Logi Tune for Zone Headsets by Logitech

  GOOGLE_PLAY_APP_ID

  high
• *.crossclip.com

  WILDCARD

  critical
• Video Conferencing Products

  ---

  All products running their latest firmware listed in the page below are eligible:
  https://www.logitech.com/en-us/video-collaboration/products

  HARDWARE

  critical
• com.streamlabs

  ---

  This is the "Streamlabs: Live Streaming" App by Streamlabs

  GOOGLE_PLAY_APP_ID

  critical
• logitech.zendesk.com

  URL

  critical
• partner.logitech.com

  URL

  critical
• *.streamlabscharity.com

  WILDCARD

  critical
• *.saitek-fr.com

  WILDCARD

  none
• *.saitek.com

  WILDCARD

  none
• Scope Questions: Items not explicitly listed here

  ---

  If you have a question about something that is not explicitly listed (or falls under a wildcard domain), please submit a report and we will provide clarification. We will allow you to self close that report after we answer your question.

  OTHER

  critical
• *.lukwerks.com

  WILDCARD

  medium
• *.logitechauthorization.com

  WILDCARD

  critical
• Logitech Mice & Keyboards

  ---

  The current generation of Logitech Keyboards and Mouses.

  HARDWARE

  high
• 632344648

  ---

  App: BOOM & MEGABOOM by Ultimate Ears

  APPLE_STORE_APP_ID

  critical
• www.jaybirdsport.com

  URL

  critical
• Harmony Remote Software

  ---

  The Harmony Desktop software for PC / MAC.

  DOWNLOADABLE_EXECUTABLES

  critical
• com.logitech.circle

  ---

  This app is part of the Circle ecosystem of camera devices.

  GOOGLE_PLAY_APP_ID

  critical
• *.ultimateearsuniversity.com

  WILDCARD

  critical
• sync.logitech.com

  ---

  Cloud service associated with the Logitech Sync application

  URL

  critical
• G Hub

  ---

  Only the latest version of GHub is in scope.

  DOWNLOADABLE_EXECUTABLES

  high
• *.logi.com

  ---

  Other logi.com domains not explicitly listed.

  WILDCARD

  critical
• Logi Options+ PC/MAC

  ---

  Logi Options+ software lets you configure your Logitech device.
  The latest version is eligible (PC & MAC).

  DOWNLOADABLE_EXECUTABLES

  high
• 1456293789

  ---

  This app is Logi Tune by Logitech Inc.

  APPLE_STORE_APP_ID

  high
• com.getmeetio.*

  ---

  Are in the scope:
  Meetio Room (com.getmeetio.room), Android
  Meetio View (com.getmeetio.view), Android
  Meetio Desk (com.getmeetio.meetiodesk), Android
  Meetio Update (com.getmeetio.update), Android
  Meetio System (com.getmeetio.system), Android
  Meetio Personal (com.getmeetio.personal), Android

  GOOGLE_PLAY_APP_ID

  critical
• *.getmeetio.com

  ---

  Are in the scope:
  admin.getmeetio.com
  storage.getmeetio.com
  stats-api.getmeetio.com
  api.getmeetio.com
  look.getmeetio.com
  parse.getmeetio.com

  WILDCARD

  critical
• *.uesmartradio.com

  ---

  This domain is for a legacy product. We will accept reports, but resolving times may be long for lower priority issues as there are limited customer's still using it.

  WILDCARD

  critical
• Other Logitech Desktop and Mobile Application

  ---

  This covers all Logitech Desktop and Mobile applications not specifically defined by other assets.

  DOWNLOADABLE_EXECUTABLES

  critical
• *.slimdevices.com

  ---

  This domain is for a legacy product. We will accept reports, but resolving times may be long for lower priority issues as there are limited customer's still using it.

  WILDCARD

  critical
• 1018340690

  ---

  This is the iOS app for the Circle ecosystem of devices,

  APPLE_STORE_APP_ID

  critical
• *.logitech.io

  ---

  Other domains under logitech.io not explicitly listed.

  WILDCARD

  critical
• logitechgchallenge.com

  URL

  critical
• *.wlo.link

  WILDCARD

  critical
• meetiobook.com

  URL

  critical
• com.getmeetio.Meetio-Enterprise

  ---

  Meetio Personal (com.getmeetio.Meetio-Enterprise), iOS

  APPLE_STORE_APP_ID

  critical
• logitechg.com.cn

  URL

  critical
• *.oslo.io

  WILDCARD

  critical
• circle.logi.com

  ---

  Also includes the *.video.logi.com and *.circle.logi.com
  See developer documentation at https://developers.logitech.com/circle

  URL

  critical
• *.lucra.live

  WILDCARD

  critical
• *.wilife.com

  WILDCARD

  none
• Other Logitech Hardware/IoT

  ---

  Other current generations Hardware/IoT devices not explicitly listed in the asset list.
  Logitech Security Team might reward a report up to their discretion.

  HARDWARE

  critical
• USB Unifying and LightSpeed Receivers

  HARDWARE

  critical
• Squeezebox Products

  ---

  Squeezebox products were EOL'ed many years ago and aren't eligible for submissions.

  HARDWARE

  none
• Logitech Alert Cameras

  ---

  Logitech Alert cameras and the Commander software were EOL'ed many years ago and are not in scope for submission.

  HARDWARE

  none
• Harmony Remotes

  ---

  In scope products: Harmony Elite, Harmony 950, Harmony Companion, Harmony Hub, Harmony 665, Harmony 350 Control.

  HARDWARE

  high
• Ultimate Ears Speakers

  ---

  Products in scope are the current generation
  BLAST, MEGABLAST, BOOM 3, MEGABOOM 3, WONDERBOOM 2, HYPERBOOM, POWER UP

  HARDWARE

  medium
• accounts.logi.com

  ---

  Non production testing site exists under sandbox.accounts.logi.com

  URL

  critical
• *.harmonyremote.com

  WILDCARD

  critical
• www.logitechclub.com

  URL

  critical
• Logitech MIXLINE

  DOWNLOADABLE_EXECUTABLES

  critical
• 1294578643

  ---

  This app is Streamlabs: Stream Live by Streamlabs

  APPLE_STORE_APP_ID

  critical
• *.mevo.com

  WILDCARD

  critical

Target Scope Domains

• accounts.logi.com
• alert.logitech.com
• astrogaming.com
• buy.logitech.com
• challonge.com
• circle.logi.com
• cognitiveperformer.com
• community.logitech.com
• crossclip.com
• external.logitech.com
• feedback.logitech.com
• gaming.logicool.co.jp
• getmeetio.com
• harmonyremote.com
• id.logi.com
• jaybirdsport.com
• jira.logitech.com
• logi.com
• logilife.logitech.com
• logitech-channel-marketing.com
• logitech.com
• logitech.io
• logitech.zendesk.com
• logitechauthorization.com
• logitechg.com
• logitechg.com.cn
• logitechgchallenge.com
• logitechmusic.com
• lucra.live
• lukwerks.com
• maintenance.logitech.com
• meetiobook.com
• melonapp.com
• mevo.com
• myharmony.com
• mysqueezebox.com
• oslo.io
• outage.logitech.com
• outagehistory.logitech.com
• partner.logitech.com
• slimdevices.com
• store.logitech.com.cn
• streamlabs.com
• streamlabscharity.com
• support.logi.com
• sync.logitech.com
• uesmartradio.com
• ultimateears.com
• ultimateearsuniversity.com
• vc.logitech.com
• vc.logitech.com
• wlo.link
• www.astrogaming.com
• www.jaybirdsport.com
• www.logicool.co.jp
• www.logitech-partner.com
• www.logitech.com
• www.logitech.com.cn
• www.logitechclub.com
• www.logitechg.com
• www.logitechstore.com.br
• www.ultimateears.com

• 2742 Subdomains
• 5050 Endpoints
• Download wordlist

Last Finished Scan: