Vulnerability Disclosure Program

1. Overview

LIFX, a wholly owned brand of Feit Electric Company, Inc., designs and operates connected smart lighting products and the cloud services and mobile applications that power them. We take seriously our responsibility to protect the security and privacy of our customers.

We welcome reports from security researchers who discover potential vulnerabilities in any LIFX product, service, or web property. We are committed to working collaboratively with the security community to identify and address issues promptly.

If you believe you have discovered a security vulnerability, please report it using the contact information below. We will acknowledge your report, investigate it thoroughly, and keep you informed of our progress.

For vulnerabilities affecting other Feit Electric family brands (Feit Electric, Cree Lighting, Good Earth Lighting, or Universal Security Instruments), please refer to the Feit Electric VDP at [email protected].

2. How to Report a Vulnerability

Send LIFX vulnerability reports to: [email protected]

Please use PGP encryption when sending vulnerability details by email.

PGP Key: LIFX PGP PUBLIC KEY
Key Fingerprint: C747 BAC2 8665 578D EF9E 0251 9FA1 B3A3 0EB9 20D2
Key version date: April 2024 — verify fingerprint before encrypting.

If you are unable to use PGP, send a brief unencrypted description and we will arrange a secure channel for full details.

If you are unsure whether your finding relates to a LIFX product or another Feit Electric brand, send your report to [email protected] and we will route it appropriately.

3. Legal Protections

LIFX, on behalf of Feit Electric Company, Inc., will not initiate civil or criminal legal action against researchers who discover and report security vulnerabilities in good faith in accordance with this policy. We consider research conducted in compliance with this policy to constitute authorized activity.

If legal action is initiated by a third party against a researcher who has in good faith complied with this policy, we will make clear that the researcher's activities were conducted pursuant to this program.

Unless you explicitly request acknowledgement, we will maintain the confidentiality of your identity unless otherwise required by law.

To qualify as authorized activity, your research must:

  • Comply with all applicable federal, state, and other territorial laws
  • Avoid accessing, modifying, or retaining data beyond what is necessary to demonstrate the vulnerability
  • Avoid disclosing vulnerability details to any third party before we have had a reasonable opportunity to address the issue
  • Not cause harm to customers, systems, or services operated by LIFX or Feit Electric

4. Program Scope

In Scope

This program covers the following LIFX products, services, and web properties:

  • Device Firmware — Current production firmware for all LIFX smart lighting hardware, including bulbs, strips, tiles, and accessories
  • Mobile Applications — LIFX iOS and Android apps (current and future App Store / Google Play releases and updates)
  • Cloud API — LIFX HTTP Cloud API (api.developer.lifx.com) and associated backend infrastructure
  • LAN Protocol — LIFX LAN Protocol (lan.developer.lifx.com)
  • Web Properties — lifx.com and any subdomains operated by LIFX

Out of Scope

The following are excluded from this program and are not authorized for testing:

  • Third-party integrations and platforms, including Amazon Alexa, Google Home, Apple HomeKit, and Matter ecosystem partners
  • Discontinued or end-of-life LIFX hardware for which firmware updates are no longer being issued
  • Physical attacks requiring destruction of a device or hardware manipulation not achievable by an ordinary end user
  • Social engineering attacks targeting LIFX or Feit Electric employees, contractors, or support staff
  • Denial-of-service attacks or volumetric testing against any LIFX or Feit Electric infrastructure
  • Automated scanning that generates excessive load on production systems
  • Vulnerabilities in third-party libraries or components where the issue is not exploitable in a LIFX-specific context

5. What We Ask of Researchers

  • Report privately first. Please disclose vulnerabilities to the LIFX security team before making any public disclosure. We ask that you give us a reasonable opportunity to investigate and address the issue.
  • Avoid accessing customer data. Do not access, modify, delete, or exfiltrate data belonging to our customers. If you inadvertently access customer data, stop immediately and include that fact in your report.
  • Do not disrupt services. Do not conduct testing that degrades the availability or performance of LIFX products or services for other users.
  • Limit testing to your own devices. Only test against hardware and accounts that you own or for which you have explicit authorization from the account holder.
  • Provide sufficient detail. Include a clear description of the vulnerability, the affected product or service, steps to reproduce, and your assessment of potential impact. Where possible, also include: time and date of discovery; mobile application and operating system version; device model and MAC/UUID addresses; URL and browser details where applicable; sample code and screenshots where appropriate.
  • Researcher data. Please do not include personal data in your report beyond what is necessary to contact you, in line with applicable privacy regulations.

6. What You Can Expect from Us

We review all reports submitted directly to [email protected]. After submission you will receive an acknowledgement that we received your report. Most reports are resolved within 90 days.

For the protection of our customers, we do not disclose or discuss security issues until our investigation is complete and any necessary updates are generally available.

7. Bug Bounty

LIFX does not currently operate a monetary bug bounty program. We will publicly acknowledge researchers (with their consent) who report valid, in-scope vulnerabilities through this policy. We are grateful for contributions from the security community and evaluate our recognition practices on an ongoing basis.

8. Vulnerability Management Program

This policy includes vulnerability management programs as part of Feit Electric's cybersecurity audit conducted pursuant to California Code of Regulations §7120–7124 (CCPA cybersecurity audit regulations, effective January 1, 2026). Reports received through this VDP are logged, tracked, and retained as part of the documented reporting programs pursuant to §7121(b)(10).

9. For Customers

If you believe your LIFX account has been compromised, or if you have observed suspicious activity on any of your connected LIFX devices, contact our support team at support.lifx.com.

General security practices for your LIFX devices:

  • Keep the LIFX app up to date — firmware updates for connected devices are typically delivered through the app
  • Use a strong, unique password for your LIFX account and enable two-factor authentication where available
  • Ensure your home Wi-Fi network uses WPA2 or WPA3 encryption
  • Regularly review devices connected to your LIFX account and remove any you no longer recognize or use