Vulnerability Disclosure Program
This Vulnerability Disclosure Program applies to Feit Electric Company, Inc. and its wholly owned brands operated under the Feit family: Feit Electric (feit.com), Cree Lighting (creelightinghome.com), LIFX (lifx.com), Universal Security Instruments (universalsecurity.com), and Good Earth Lighting (goodearthlighting.com). Each site may present this program in branded form; the substantive rights and obligations are consistent across all properties.
Feit Electric Company, Inc. ("Feit," "we," "us," or "our") is committed to the privacy, safety, and security of our customers. This page describes how security researchers can report vulnerabilities to us, what to expect from us in return, and the scope of our vulnerability disclosure program.
1. Overview
Feit Electric and its family of brands manufacture and operate connected consumer products, including smart lighting, security devices, and related cloud services and mobile applications. We take seriously our responsibility to protect the customers and homes that depend on these products.
We welcome reports from security researchers who discover potential vulnerabilities in any product, service, or web property operated by Feit Electric or its brands. We are committed to working collaboratively with the security community to identify and address issues promptly.
If you believe you have discovered a security vulnerability, please report it using the contact information in Section 2 below. We will acknowledge your report, investigate it thoroughly, and keep you informed of our progress.
2. How to Report a Vulnerability
Reports should be sent to the security contact for the brand whose product or service is affected. If you are unsure which brand applies, send your report to security@feit.com and we will route it appropriately.
| Brand | Primary Domain(s) | Security Contact | Products / Services Covered |
|---|---|---|---|
| Feit Electric | feit.com | security@feit.com | feit.com website, Feit Electric app, connected lighting and smart home device firmware, and all Feit-branded products not covered by a brand-specific entry below |
| LIFX | lifx.com | security@lifx.com | lifx.com, LIFX iOS and Android apps, LIFX HTTP Cloud API (api.developer.lifx.com), LIFX LAN Protocol (lan.developer.lifx.com), and all LIFX-branded smart lighting firmware |
| Cree Lighting | creelightinghome.com | security@feit.com | creelightinghome.com website and Cree Lighting Home-branded connected products |
| Good Earth Lighting | goodearthlighting.com | security@feit.com | goodearthlighting.com website and Good Earth Lighting-branded connected products |
| Universal Security Instruments | universalsecurity.com | security@feit.com | universalsecurity.com website, USI Connect app, and all USI-branded security device firmware (smoke detectors, CO alarms, and related connected devices) |
Encrypt sensitive submissions. Please use PGP encryption when sending vulnerability details by email. PGP public keys are available at the links below. If you are unable to use PGP, send a brief unencrypted description and we will arrange a secure channel for full details.
PGP Keys
Feit Electric / all brands: security@feit.com
PGP Key: Feit Electric PGP PUBLIC KEY
Key Fingerprint: B6DB 647A AE30 C1EC 67A2 4AC7 A340 96A9 E6DD 8934
LIFX: security@lifx.com
PGP Key: LIFX PGP PUBLIC KEY
Key Fingerprint: [INSERT VERIFIED FINGERPRINT]
Key version date: April 2024 — verify fingerprint before encrypting.
3. Legal Issues and Protections
Feit Electric Company, Inc. (on behalf of itself and its brands LIFX, Cree Lighting, Good Earth Lighting, and Universal Security Instruments) will not initiate civil or criminal legal action against researchers who discover and report security vulnerabilities in good faith in accordance with this policy. We consider research conducted in compliance with this policy to constitute authorized activity.
If legal action is initiated by a third party against a researcher who in good faith has complied with this policy, we will make clear that the researcher's activities were conducted pursuant to this program.
Unless the researcher explicitly requests acknowledgement, we will maintain the confidentiality of their identity unless otherwise required by law.
To qualify as authorized activity, your research must:
- comply with all applicable federal, state and other territorial laws;
- avoid accessing, modifying, or retaining data beyond what is necessary to demonstrate the vulnerability;
- avoid disclosure of vulnerability details to any third party before we have had a reasonable opportunity to address the issue; and
- not cause harm to customers, systems, or services operated by Feit Electric or its brands.
4. Program Scope
In Scope
This program covers products, services, and web properties operated by Feit Electric and its brands, including:
- Device Firmware — Current production firmware for all connected hardware devices across all Feit Electric brands.
- Mobile Applications — iOS and Android mobile apps for Feit Electric, LIFX, Good Earth Lighting, Cree Lighting, and Universal Security Instruments (current and future App Store / Google Play releases and updates).
- Cloud Services & APIs — Cloud APIs and backend infrastructure operated by Feit Electric or its brands, including the LIFX HTTP Cloud API (api.developer.lifx.com) and the LIFX LAN Protocol (lan.developer.lifx.com).
- Web Properties — feit.com, lifx.com, creelightinghome.com, goodearthlighting.com, universalsecurity.com, and any subdomains operated by Feit Electric or its brands.
Outside the Program Scope
Any service not expressly listed above is excluded from program scope and is not authorized for testing, including but not limited to:
- Third-party integrations, platforms, and services (including Amazon Alexa, Google Home, Apple HomeKit, Matter ecosystem partners, Tuya platform services, and similar).
- Discontinued or end-of-life hardware products for which firmware updates are no longer being issued.
- Physical attacks requiring destruction of a device or hardware manipulation not achievable by an ordinary end user.
- Social engineering attacks targeting Feit Electric or brand employees, contractors, or support staff.
- Denial-of-service attacks or volumetric testing against any Feit Electric or brand infrastructure.
- Automated scanning that generates excessive load on production systems.
- Vulnerabilities in third-party libraries or components where the issue is not exploitable in a Feit Electric or brand-specific context.
5. What We Ask of Researchers
- Report privately first. Please disclose vulnerabilities to the appropriate brand security contact before making any public disclosure. We ask that you give us a reasonable opportunity to investigate and address the issue.
- Avoid accessing customer data. Do not access, modify, delete, or exfiltrate data belonging to our customers. If you inadvertently access customer data, stop immediately and include that fact in your report.
- Do not disrupt services. Do not conduct testing that degrades the availability or performance of products or services for other users.
- Limit testing to your own devices. Only test against hardware and accounts that you own or for which you have explicit authorization from the account holder.
- Provide sufficient detail. Include a clear description of the vulnerability, the affected brand and product or service, steps to reproduce, and your assessment of potential impact. We also encourage you to provide: time and date of discovery; mobile application and operating system; computer model and OS details; device model number and MAC/UUID addresses; product model and number; URL and browser information including type, version, and input required to reproduce; sample code if applicable; and technical descriptions including screenshots where appropriate.
- Researcher data. Please do not include personal data in your reports, except what is necessary to contact you in line with GDPR compliance.
6. What You Can Expect from Us
Feit reviews all reports that are submitted directly to us. After you submit your research, you will receive an acknowledgement that we received your report. Most reports are resolved within 90 days.
For the protection of our customers, Feit does not disclose or discuss security issues until our investigation is complete and any necessary updates are generally available.
7. Bug Bounty
Feit Electric and its brands do not currently operate a monetary bug bounty program. We will publicly acknowledge researchers (with their consent) who report valid, in-scope vulnerabilities through this policy. We are grateful for contributions from the security community and evaluate our recognition practices on an ongoing basis.
8. Vulnerability Management Program
This policy includes vulnerability management programs as part of Feit Electric's cybersecurity audit conducted pursuant to California Code of Regulations §7120–7124 (CCPA cybersecurity audit regulations, effective January 1, 2026).
Reports received through this VDP intake channel are logged, tracked, and retained as part of the documented reporting programs pursuant to §7121(b)(10).
9. For Customers
If you believe your account has been compromised, or if you have observed suspicious activity on any of your connected devices, contact the support team for the relevant brand:
- Feit Electric: feit.com/pages/contact-us
- LIFX: support.lifx.com
- Cree Lighting Home: creelightinghome.com/pages/help
- Good Earth Lighting: goodearthlighting.com/contact-us
- Universal Security Instruments: universalsecurity.com/pages/contact-us
General security practices for all Feit Electric connected devices:
- Keep your mobile app up to date — firmware updates for connected devices are typically delivered through the app.
- Use a strong, unique password for each brand account and enable two-factor authentication where available.
- Ensure your home Wi-Fi network uses WPA2 or WPA3 encryption.
- Regularly review connected devices associated with your accounts and remove any you no longer recognize or use.