Responsible Disclosure Policy

Introduction

Verisure is committed to ensuring the security of our Products, Systems, and all customer, partner, and employee data. We value collaboration with our community of users and researchers who can contribute to the identification of Security Vulnerabilities in our Products and Systems.  

This Policy outlines a process for responsible Security Vulnerability disclosure, with the goal of facilitating effective collaboration and rapid remediation of security issues. This Policy establishes guidelines for reporting and handling Security Vulnerabilities in a responsible manner, according to the rules of engagement below, and applies to any Security Vulnerabilities you are considering reporting to Verisure.

We recommend reading this Policy fully before you report a potential Security Vulnerability.  

Please note Verisure does not offer monetary rewards for Security Vulnerability disclosures.

How to Report a Vulnerability

Verisure investigates all reports of Security Vulnerabilities affecting Products and Services. If you believe you have found a Security Vulnerability in a Verisure Product or Service, submit the vulnerability report via the submission form below, providing sufficient details for us to reproduce and investigate your actions. All mandatory fields must be filled in correctly and it is essential that you maintain confidentiality when reporting a Security Vulnerability under this Policy. We ask that you do not disclose your investigation publicly until Verisure has completed the investigation, resolved or mitigated the Security Vulnerability, and granted you permission to do so. 

Next Steps

After submitting your report, Verisure will notify the reporter that the report has been correctly received and begin triage of the report.  Verisure may contact the reporter via the anonymous web portal to gather further information on the report and to keep you updated on the progress until closure. 

Our internal process for addressing the Security Vulnerability will start by reviewing the report and determining its impact, severity, and the complexity prior to implementing remediation actions as appropriate.

Verisure reserves the right to share the contents of the submitted Security Vulnerability report and any subsequent findings with relevant parties but will not disclose details associated with the reporter. 

Third Party Products or Services

Products, systems, and data not owned by Verisure are not covered under this Policy. Reporters must follow responsible disclosure policies provided by respective third parties if they wish to perform research or testing of these systems.

Rules of Engagement

Verisure appreciates the efforts and contributions from the security research community and requires that you adhere to the following rules.

Reporter Must Not: 

•    Break any applicable laws or regulations.
•    Introduce a new, or attempt to exploit an existing, Security Vulnerability. 
•    Engage in social engineering or phishing of customers or employees. 
•    Demand financial compensation in exchange for the disclosure of a Security Vulnerability.
•    Access systems or data beyond what is necessary to identify and report a Security Vulnerability. 
•    Tamper with alarm system devices or systems belonging to existing clients, even if it is their own. 

•    Modify, copy, share, corrupt or otherwise impact data processed or stored in Verisure Products or systems. 

•    Use high-intensity, invasive, or destructive scanning tools to find Security Vulnerabilities, or perform disruptive activities including, but not limited to, brute force attacks, denial-of-service attacks, or physical attacks against Verisure facilities or data centers. 

•    Interrupt alarm signals, notifications, or physically tamper with your own alarm system in any manner. 

•    Perform testing or research against third party services or systems not belonging to Verisure, such as against external cloud provider infrastructure. 

•    Access unnecessary, excessive, or significant amounts of data other than what is required for discovery and confirmation of the Security Vulnerability. 

Reporter Must:

•    Only access data and systems to the extent necessary to confirm the existence of a Security Vulnerability. 

•    Stop research and/or testing activities upon confirming the existence of a Security Vulnerability, and report findings to Verisure without delay. 

•    Securely delete all data retrieved during research as soon as the Security Vulnerability has been reported and confirmation of acceptance has been received from Verisure. 

•    Wait for written approval from Verisure before publicly disclosing details of the Security Vulnerability. Content of the public disclosure must also be approved by Verisure. 

What Not to Report:

•    Duplicate reports of Security Vulnerabilities. 

•    Submit reports detailing non-exploitable Security Vulnerabilities. 

•    User interface bugs, user experience bugs, or spelling mistakes. 

•    Submit reports indicating that Products and Services do not fully align with “best practice”, such as missing security headers or self cross-site scripting. 

Verisure Must: 

•    Acknowledge receipt of Security Vulnerability report within 30 days of receiving the report. 

•    Provide bi-weekly status updates to the reporter from above acknowledgement of receipt until closure of the Security Vulnerability report. 

•    Provide a written decision as to whether or not the reporter can publicly disclose the Security Vulnerability. If previously agreed upon by Verisure, Verisure must review the content of the public disclosure prior to publishing. 

Definitions 

Questions and Support 

The Verisure security team has been appointed to handle Security Vulnerability Disclosures, they may be contacted through filling in and submitting the form here https://www.verisure.com/responsible-disclosure-policy