Responsible Disclosure Policy

 

Introduction

Verisure is committed to ensuring the security of our Products, Systems, and all customer, partner, and employee data. We value collaboration with our community of users and researchers who can contribute to the identification of vulnerabilities in our Products and Systems. This Policy outlines a process for responsible vulnerability disclosure, with the goal of facilitating effective collaboration and rapid remediation of security issues.  

This Policy establishes guidelines for reporting and handling vulnerabilities in a responsible manner, according to the rules of engagement below, and applies to any Security Vulnerabilities you are considering reporting to Verisure.  

We recommend reading this vulnerability disclosure Policy fully before you report a vulnerability.  

Please note Verisure does not offer monetary rewards for vulnerability disclosures. 

How to Report a Vulnerability

Verisure investigates all reports of Security Vulnerabilities affecting Products and Services. If you believe you have found a Security Vulnerability in a Verisure Product or Service, submit the vulnerability report via the submission form below, providing sufficient details for us to reproduce and investigate your actions. All mandatory fields must be filled in correctly and it is essential that you maintain confidentiality when reporting a vulnerability under this Policy. We ask that you do not disclose your investigation publicly until Verisure has completed the investigation, resolved or mitigated the vulnerability, and granted you permission to do so. 

 

Next Steps

After submitting your report, Verisure will notify the reporter that the report has been correctly received and begin triage of the report.  Verisure may contact the reporter via the anonymous web portal to gather further information on the report and to keep you updated on the progress until closure. 

Our internal process for addressing the vulnerability will start by reviewing the report and determining its impact, severity, and the complexity prior to implementing remediation actions as appropriate.

Verisure reserves the right to share the contents of the submitted vulnerability report and any subsequent findings with relevant parties but will not disclose details associated with the reporter.

Third Party Products or Services

Products, systems, and data not owned by Verisure are not covered under this Policy. Reporters must follow responsible disclosure policies provided by respective third parties if they wish to perform research or testing of these systems.

Rules of Engagement

Verisure appreciates the efforts and contributions from the security research community and requires that you adhere to the following rules.

Reporter Must Not:
- Break any applicable laws or regulations. 
- Introduce a new, or attempt to exploit an existing, vulnerability.
- Engage in social engineering or phishing of customers or employees.
- Demand financial compensation in exchange for the disclosure of a vulnerability.
- Access systems or data beyond what is necessary to identify and report a vulnerability.
- Tamper with alarm system devices or systems belonging to existing clients, even if it is their own.
- Modify, copy, share, corrupt or otherwise impact data processed or stored in Verisure Products or Systems.
- Use high-intensity, invasive, or destructive scanning tools to find vulnerabilities, or perform disruptive activities including, but not limited to, brute force attacks, denial-of-service attacks, or physical attacks against Verisure facilities or data centers.
- Interrupt alarm signals, notifications, or physically tamper with your own alarm system in any manner.
- Perform testing or research against third party services or systems not belonging to Verisure, such as against external cloud provider infrastructure. 
- Access unnecessary, excessive, or significant amounts of data other than what is required for discovery and confirmation of the vulnerability.

What Not to Report:
- Duplicate reports of Security Vulnerabilities.
- Reports detailing non-exploitable vulnerabilities.
- User interface bugs, user experience bugs, or spelling mistakes.
- Reports indicating that services do not fully align with “best practice”, such as missing security headers or Self cross-site scripting.

  • Verisure Must:

  • - Acknowledge receipt of vulnerability report within 30 days of receiving the report.
    - Provide bi-weekly status updates to the reporter until closure of the vulnerability report.
    - Provide a written decision as to whether or not the reporter can publicly disclose the vulnerability. If previously agreed upon by Verisure, Verisure must review the content of the public disclosure prior to publishing.

 

Definitions

Security Vulnerability
The Policy covers the disclosure of specific security vulnerabilities found in Verisure Products or Systems. Vulnerabilities covered by this Policy are those that represent a weakness found in software or hardware components that, when exploited, may result in a negative impact to confidentiality, integrity, or availability of Verisure data or services.

Verisure Product/Service
Verisure products or systems are those that are developed or manufactured by Verisure. Products, systems, and data not owned by Verisure are not covered under this Policy.

Questions and Support

The Verisure security team has been appointed to handle Security Vulnerability Disclosures, they may be contacted through filling in and submitting the form below.