Executive Summary
Verisure is committed to ensuring the security of our Products, Systems, and all customer, partner, and employee data. We value collaboration with our community of users and researchers who can contribute to the identification of Security Vulnerabilities in our Products and Systems. This Policy outlines a process for responsible Security Vulnerability disclosure, with the goal of facilitating effective collaboration and rapid remediation of security issues.
Introduction
This Policy establishes guidelines for reporting and handling Security Vulnerabilities in a responsible manner, according to the rules of engagement below, and applies to any Security Vulnerabilities you are considering reporting to Verisure.
We recommend reading this Policy fully before you report a potential Security Vulnerability.
Please note Verisure does not offer monetary rewards for Security Vulnerability disclosures.
Capitalised words can be found in the definitions section of this document.
Key Principles
Good Faith | Verisure will not pursue legal action against reporters who discover and disclose Security Vulnerabilities in good faith, in accordance with this Policy. |
Intentional Non-Compliance | Verisure does not provide immunity in cases of intentional disclosure or irresponsible disclosure of Security Vulnerabilities without following established procedures, such as publicly disclosing an identified Security Vulnerability. |
Disruption of Services | The Policy does not permit activities that could impact the confidentiality, integrity, or availability of information and systems, such as interference with Verisure's Services or the functioning of Verisure Products. |
Rules of Engagement | The reporter must review and follow the Rules of Engagement section defined in this Policy. |
Who Must Follow This Policy
This Policy is intended to be followed by various stakeholders in our community that are considering reporting a Security Vulnerability found in our systems, such as security researchers and ethical hackers, users and customers who find problems during normal use of a Service or Product, internal Verisure teams who will address these Security Vulnerabilities, and the end users affected by these Security Vulnerabilities.
How Do I Comply?
How to Report a Vulnerability
Verisure investigates all reports of Security Vulnerabilities affecting Products and Services. If you believe you have found a Security Vulnerability in a Verisure Product or Service, submit the vulnerability report via the submission form below, providing sufficient details for us to reproduce and investigate your actions. All mandatory fields must be filled in correctly, and it is essential that you maintain confidentiality when reporting a Security Vulnerability under this Policy. We ask that you do not disclose your investigation publicly until Verisure has completed the investigation, resolved or mitigated the Security Vulnerability, and granted you permission to do so.
Next Steps
After submitting your report, Verisure will notify the reporter that the report has been correctly received and begin triage of the report. Verisure may contact the reporter via the anonymous web portal to gather further information on the report and to keep you updated on the progress until closure.
Our internal process for addressing the Security Vulnerability will start by reviewing the report and determining its impact, severity, and the complexity prior to implementing remediation actions as appropriate.
Verisure reserves the right to share the contents of the submitted Security Vulnerability report and any subsequent findings with relevant parties but will not disclose details associated with the reporter.
Third Party Products or Services
Products, systems, and data not owned by Verisure are not covered under this Policy. Reporters must follow responsible disclosure policies provided by respective third parties if they wish to perform research or testing of these systems.
Rules of Engagement
Verisure appreciates the efforts and contributions from the security research community and requires that you adhere to the following rules. Verisure will not pursue legal action against reporters who discover and disclose Security Vulnerabilities in good faith and in accordance with this Policy.
Reporter Must Not:
- Break any applicable laws or regulations.
- Introduce a new, or attempt to exploit an existing, Security Vulnerability.
- Engage in social engineering or phishing of customers or employees.
- Demand financial compensation in exchange for the disclosure of a Security Vulnerability.
- Access systems or data beyond what is necessary to identify and report a Security Vulnerability.
- Tamper with alarm system devices or systems belonging to existing clients, even if it is their own.
- Modify, copy, share, corrupt or otherwise impact data processed or stored in Verisure Products or systems.
- Use high-intensity, invasive, or destructive scanning tools to find Security Vulnerabilities, or perform disruptive activities, including, but not limited to, brute force attacks, denial-of-service attacks, or physical attacks against Verisure facilities or data centres.
- Interrupt alarm signals, notifications, or physically tamper with your own alarm system in any manner.
- Perform testing or research against third-party services or systems not belonging to Verisure, such as against external cloud provider infrastructure.
- Access unnecessary, excessive, or significant amounts of data other than what is required for discovery and confirmation of the Security Vulnerability.
Reporter Must:
- Only access data and systems to the extent necessary to confirm the existence of a Security Vulnerability.
- Stop research and/or testing activities upon confirming the existence of a Security Vulnerability, and report findings to Verisure without delay.
- Securely delete all data retrieved during research as soon as the Security Vulnerability has been reported and confirmation of acceptance has been received from Verisure.
- Wait for written approval from Verisure before publicly disclosing details of the Security Vulnerability. Content of the public disclosure must also be approved by Verisure.
What Not to Report:
- Duplicate reports of Security Vulnerabilities.
- Submit reports detailing non-exploitable Security Vulnerabilities.
- User interface bugs, user experience bugs, or spelling mistakes.
- Submit reports indicating that Products and Services do not fully align with “best practice”, such as missing security headers or self-cross-site scripting.
Verisure Must:
- Acknowledge receipt of Security Vulnerability report within 30 days of receiving the report.
- Provide bi-weekly status updates to the reporter from above acknowledgement of receipt until closure of the Security Vulnerability report.
- Provide a written decision as to whether or not the reporter can publicly disclose the Security Vulnerability. If previously agreed upon by Verisure, Verisure must review the content of the public disclosure prior to publishing.
Responsible Disclosure Regulation
This Policy is designed to be compatible with common Security Vulnerability disclosure good practice and applicable regulations. It does not provide immunity to those who act in any manner that is inconsistent with the law, or which might cause Verisure or partner organisations to be in breach of any legal obligations.
Who does What?
Responsible | Description |
Reporter | Any individual who reports a Security Vulnerability found in Verisure Products or Systems, including, but not limited to, security researchers, ethical hackers, partners, employees, and Verisure customers who find problems during normal use of a Product or Service. |
Verisure | All Verisure personnel, including employees and contractors, involved in the process to review and respond to Security Vulnerabilities reported through this medium. |
Definitions
Security Vulnerability | Specific security vulnerabilities found in Verisure Products or Services that represent a weakness found in software or hardware components that, when exploited, may result in a negative impact to confidentiality, integrity, or availability of Verisure data or services. |
Verisure Product/Service | Products or systems developed or manufactured by Verisure. Products, systems and data not owned by Verisure are not covered under this Policy. |
Questions and Support
The Verisure security team has been appointed to handle Security Vulnerability Disclosures, they may be contacted by filling in and submitting the form below.