Vulnerability Reporting

Boston Dynamics appreciates the efforts of security researchers and welcomes any information that could lead to the identification and remediation of a cybersecurity vulnerability in a Boston Dynamics product. We will investigate and respond to legitimate reports submitted according to the instructions below in a timely manner.

By submitting a report under this program, you agree not to:

  • Engage in testing or research that may harm or put at risk Boston Dynamics, its employees, its customers, or other third party individuals or entities.
  • Disrupt, compromise, or harm any Boston Dynamics product or data other than that which you own, and in accordance with its terms of use and your agreements with Boston Dynamics.
  • Access or disclose personal information belonging to Boston Dynamics, its employees, its customers, or other third party individuals or entities.
  • Compromise or disclose confidential or proprietary data belonging to Boston Dynamics, its employees, its customers, or other third party individuals or entities.
  • Test the physical security of any Boston Dynamics property or facility, or the properties or facilities of Boston Dynamics affiliates or related third parties.
  • Perform any kind of denial-of-service testing or over-exhaust an IT function.
  • Perform social engineering, spam, or phishing/spear phishing attacks.
  • Disclose to any third party the details of any submitted vulnerability reports before Boston Dynamics can confirm complete remediation of the identified issue (if any).
  • Participate or submit reports if you are employed by Boston Dynamics, or an affiliate company, or a Boston Dynamics supplier, or are acting on behalf of someone employed by Boston Dynamics. If you are a member of any of these entities, please report the issue to your management, who is then to report to Boston Dynamics, directly.

In submitting reports, please note that although Boston Dynamics sincerely values vulnerability reports, we do not provide monetary compensation (“bounties”) or non-monetary remuneration in exchange for submitted reports. This program is only meant to facilitate the responsible reporting and resolution of cybersecurity vulnerabilities.

When submitting reports, we request that you:

  • Describe the alleged vulnerability and, where possible, include proof-of-concept code to facilitate our analysis and triage of your report.
  • Describe the methods you employed to identify the alleged vulnerability and any known or possible remediation.
  • Confirm that you are not on the U.S. Department of the Treasury’s Specially Designated Nationals List⁠ or other restricted party lists maintained by the U.S.
  • Comply with all applicable laws and regulations in all work related to this program.

If you identify an issue that you believe could be a cybersecurity vulnerability in any Boston Dynamics product or service, please contact us at security@bostondynamics.com. By submitting a report, you agree that Boston Dynamics may use the information in your report in whatever ways we see fit.