EchoStar Vulnerability Disclosure Policy

EchoStar considers protecting the information of our customers, vendors, partners, employees, and organization a top priority that we take very seriously. 

We recognize the value customers, security researchers, and security experts can provide to our organization toward addressing this responsibility.  We want all potential contributors to feel comfortable promptly reporting any vulnerabilities they may discover in our assets.  We welcome vulnerability disclosures in accordance with this policy and appreciate the opportunity to promptly remediate all such findings.

This policy describes what systems and types of research are covered under this policy, how to send EchoStar vulnerability reports, and how long EchoStar asks security researchers to wait before disclosing discovered vulnerabilities outside of communications with BugCrowd and EchoStar.

EchoStar requires you:

• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data. Do not attempt to access accounts that do not belong to you. Do not attempt to access private information of any users. Do not attempt to modify or destroy data. Do not perform any type of denial-of-service attack. Do not transmit malware, in any capacity.
• Only use exploits to the extent necessary to confirm a vulnerability. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to "pivot" to other systems. Once you've established a vulnerability exists, or encountered any of the sensitive data outlined below, you must stop your test and notify us immediately.
• Closely monitor any testing to ensure you are not compromising the integrity or availability of our assets; if you notice performance degradation of our assets, immediately suspend all testing and use of automated tools.
• Keep confidential any information about discovered vulnerabilities for at least 90 calendar days after BugCrowd validation of your finding.
• Are not a resident of any country under U.S. sanctions posted by the United States Treasury Department.
• Are not an employee or contractor of EchoStar, its brands or subsidiaries and were not an employee or contractor within the past 6 months.
• Ensure your research does not violate any U.S. law or laws of the country of origin where the work is conducted.
• Please remain patient throughout the submission, validation, and remediation process; once validated by BugCrowd, we will work to remediate your finding as a top priority.

This policy applies to the following systems:

1. All domains owned by EchoStar and any brands or subsidiaries, including but not limited to the following:

• EchoStar.com
• Hughes.com
• HughesNet.com
• Dish.com
• DishAnywhere.com
• Sling.com
• Boostmobile.com
• OnTechSmartServices.com
• GenMobile.com

2. All hardware products and associated software engineered, developed, and manufactured by EchoStar, any brand, or any subsidiary company.

3. All applications published on Google Play or Apple App Store associated with EchoStar, any EchoStar brand, or any EchoStar subsidiary. 

4. Any associated infrastructure vulnerabilities. 

5. Other vulnerabilities in any other EchoStar-owned asset with demonstrated impact. 

Any services not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in non-EchoStar systems from our vendors fall outside of this policy's scope and should be reported directly to the vendor according to their disclosure policy (if any).

If you aren't sure whether a system or endpoint is in scope or not, contact us at echostar-vdp-pro@submit.bugcrowd.com before starting your research.

The following test types are NOT authorized and are NOT in scope:

• Network denial of service (DoS or DDoS) tests.
• Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), spam, or any other non-technical vulnerability testing.
• Self XSS (user defined payload).
• Uploading malware
  
  

If you encounter any of the below on our systems while testing within the scope of this policy, stop your test and notify us immediately:

• Personally Identifiable Information
• Customer Proprietary Network Information
• Financial Information (e.g. Credit Card or Bank Account Numbers)
• Proprietary Information or Trade Secrets of Companies (of any party)

If you comply with this policy during your security research, we will consider your research to be authorized, will work with you to understand and resolve the issue quickly, and EchoStar will not initiate or recommend legal action related to your research.

Note: This policy does not grant permission to engage in any malicious activities. Unauthorized access, disruption of services, and any other malicious actions are strictly prohibited and may be subject to legal action.

EchoStar accepts and discusses vulnerability reports via the BugCrowd submission form found below.  The form is the preferred and best means by which to submit your finding. Use of the form helps ensure sufficient information is provided that allows us to understand and address your finding.

Alternatively, you may submit your finding via email to  echostar-vdp-pro@submit.bugcrowd.com following BugCrowd’s guidance for submissions.

Please keep your vulnerability reports current by sending us any new information as it becomes available.

We may share your vulnerability reports with US-CERT, as well as any affected vendors or open source projects.  However, please note vulnerabilities found in 3rd party software and systems (not owned by EchoStar) fall outside of this policy's scope and should instead be reported directly to that vendor according to their disclosure policy (if any).

EchoStar is committed to remediating discovered vulnerabilities within 90 days or fewer following BugCrowd validation.

We believe disclosure prior to remediation tends to increase risk rather than reduce it, and we ask you to please refrain from sharing reports with others while we work on our remediation efforts. If you believe there are others who should be informed of your report before remediation is completed, please let us know in your form submission or via echostar-vdp-pro@submit.bugcrowd.com.

Should you wish to post an advisory following our remediation, we would appreciate the opportunity to work with you to ensure sensitive information is redacted, so we ask that you please share the planned posting with us in advance via your form submission or via echostar-vdp-pro@submit.bugcrowd.com and allow us a reasonable amount of time to review and respond before self-disclosing.

EchoStar reserves the right to update and revise this policy as needed. Check this page regularly for the latest information.