Responsible Disclosure
At Peloton, we consider the security of our systems and the best interest of our members a top priority. However, no matter how much effort we put into system security, there can still be vulnerabilities present. Because of this we are looking to the security community to help us meet this top priority through programs like responsible disclosure.
If you are a researcher and discover an actionable, high-impact vulnerability, we would like to know about it so that we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our users and our systems and to strengthen our relationship with the community. We require all researchers to meet the below requirements. Peloton reserves all legal and equitable rights in the event of any non-compliance.
Please do the following:
- Email your findings to vulnerability.disclosure@onepeloton.com. Encrypt your findings using our PGP key below to prevent this critical information from falling into the wrong hands.
- Capture only the minimum amount of information necessary in order to provide us with a responsible disclosure. Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying Peloton data, member data, or third-party data.
- Do not access user or employee personal information or the confidential information of Peloton. If you accidentally gain access to this information stop testing immediately and submit the vulnerability to Peloton.
- Do not test in a manner that may cause any degradation of Peloton’s services, its users’ experiences or destroy information during security testing.
- Conduct research only in accordance with these requirements.
- Do not disclose the finding to the public or any third-party until Peloton has notified you in writing that it has been resolved.
- Do not disclose to the public or any third-party any non-public information provided to you by Peloton.
- Do not use attacks involving physical security, social engineering, denial of service, spam or applications of third parties.
- Do provide all information sufficient to reproduce the problem, so we will be able to resolve it as quickly as possible. This includes, but is not limited to, the IP address or the URL of the affected system, screen captures, network requests, reproduction steps, and a description of the vulnerability. Complex vulnerabilities may require further explanation as requested by us.
- Do provide your name and contact information in order for us to acknowledge your submission.
If you meet the requirements:
- We will respond to your report after the conclusion of our evaluation of the report.
- If you have followed the instructions above, we will not take any legal action against you regarding your report.
- Unless we are legally compelled, we will not pass your personal contact information to third-parties without your permission.
- If requested, we will keep you informed of the progress towards resolving the problem; and
Unless you request otherwise, we may publicly credit your name as the security researcher who discovered the finding.
We strive to resolve all problems as quickly as possible, and we endeavor to play an active role in the ultimate publication on the problem after it is resolved.
Encrypting Your Message
If you are sending sensitive information you can encrypt your communications to Peloton, or verify signed messages you receive from Peloton using the PGP key below:
- Key ID: 30387022
- Key type: RSA
- Key size: 4096
- User ID: vulnerability.disclosure@onepeloton.com
- Fingerprint: 5764 04A7 BF53 C88B F122 57B4 3DDE 0F32 3038 7022