The Internet of Things is predicted to be one of the fastest growing technology ecosystems in history. Wink has put itself at the forefront of this space by offering a simple, intuitive platform to control hundreds of connected devices from many of the world’s most trusted brands. Yet we know that if we wish to continue to remain a leader in the Internet of Things space, Wink must also be a brand that people trust. That’s why we value the security research community.

The disclosure of security vulnerabilities by security researchers helps us ensure the security and privacy of our users, and we will give researchers free hardware as long as they continue submitting security issues to us. All we ask is a reasonable amount of time to resolve the issues you submit. In return, we aim to be transparent about how we approach securing our products so that everyone in the area of the Internet of Things, home automation and networked devices can benefit.

Research Guidelines

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  • If you believe you have found a privacy issue, only use your test accounts to verify it's existence.
  • Perform research only within the scope set out below.
  • Use the identified communication channels to report vulnerability information to us.
  • Keep information about any vulnerabilities you've discovered confidential between yourself and Wink Inc until we've had at least 90 days to resolve the issue.*

*Due to the nature of patching firmware and hardware issues, we may require additional time in some cases. We will make every effort to provide realistic timelines on when we can expect to resolve issues you discover.

Reasonable Disclosure Policy

If you follow these guidelines when reporting an issue to us we commit to:

  • Not institute a civil legal action against you and not support a criminal investigation.
  • Work with you to understand and resolve the issue quickly (confirming the report within 72 hours of submission).
  • Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
  • Provide free hardware when new devices are available to those that have previously submitted confirmed issues to us.

Out of Scope

Any services hosted by 3rd party providers and services are excluded from scope. These services include:

  • Heroku
  • AWS
  • Hockey App
  • Third-party add-ons
  • [Other 3rd Party Services]

In the interest of the safety of our users, staff, the Internet at large and you as the security researcher, the following test types are excluded from scope and not eligible for a reward:

  • Findings from physical testing such as office access (e.g. open doors, tailgating)
  • Findings derived primarily from social engineering (e.g. phishing, vishing)
  • Findings from applications or systems not listed in the ‘Targets’ section
  • Functional, UI and UX bugs and spelling mistakes
  • Network level Denial of Service (DoS/DDoS) vulnerabilities

Things we do not want to see:

  • Personally identifiable information of users (PII) that you may have found during your research unless it's PII from your test account.

Submit an Issue

To report a potential security vulnerability or concern, please contact . A Wink Security Incident Response Team member will review and respond to your submission within 48 hours, depending on the severity of the concern. Wink supports encrypted emails via PGP (Wink's public PGP key).

If you believe that Wink data or systems are at risk, please include the following details in your email:

  • A brief summary of the activity being reported (i.e. what Wink information is being degraded, disclosed, or denied)
  • Email, domain name, or IP address involved
  • How the activity was detected

If you believe you have discovered a vulnerability in a Wink product, please include the following details in your email:

  • Subject line must have PSIRT
  • Wink product name(s) and version(s)
  • Description of the concern or vulnerability (e.g. privilege escalation, buffer overflow, SQL injection, cross-site scripting)
  • Information to help our team replicate the issue (e.g. configuration details, a proof-of-concept, or exploit code)

Thank you for participating, it is your work that will help keep us secure.