ASSA ABLOY

Responsible Disclosure Policy

ASSA ABLOY Group believes that the disclosure of vulnerabilities is essential for improving the quality of our products and services, the safety of our customers that rely on them, and awareness as to their choices relative to preserving their specific interests. ASSA ABLOY values insight from the security research community and welcomes disclosure and collaboration with this community.

ASSA ABLOY values the insight and commitment of security researchers and other vulnerability investigators to make the world a safer place by discovering vulnerabilities of security solutions and providing mechanisms to report them with legitimacy and integrity privately. 

Responsible disclosure ensures that security access infrastructure is tested and proven reliable. Moreover, the commitment to mitigate vulnerabilities is reassuring for our customers and the security industry as a whole.

The following is the ASSA ABLOY Group's  responsible disclosure policy:

  • ASSA ABLOY will disclose known vulnerabilities and their fixes to its customers in a manner that protects ASSA ABLOY and its customers. Disclosures made by ASSA ABLOY will include credit to the person who first identified the vulnerability unless otherwise requested by the one who reported it.
  • ASSA ABLOY is open to communication and working with security researchers who come to ASSA ABLOY with a shared interest to improve security and coordinate the distribution of information that includes both the vulnerability and the solution that addresses it.
  • ASSA ABLOY will publicly acknowledge in a written advisory the work of a security researcher who brings the company valid information about a vulnerability privately and then works with ASSA ABLOY to coordinate the public announcement after a fix or patch has been developed and fully tested within a reasonable amount of time to be effective and deployed by ASSA ABLOY and its customers.
  • Security researchers are allowed to post a link to the ASSA ABLOY Group advisory on their own websites as recognition for minimizing risks for the greater good and helping end-users protect themselves.

We ask the security researcher community to work with ASSA ABLOY Group to coordinate the public disclosure of a vulnerability. Pre-maturely revealing a vulnerability publicly without first notifying ASSA ABLOY could hurt organizations, exposing sensitive information and putting people and organizations in danger of malicious attacks.

This is why ASSA ABLOY strongly advocates a two-step process: first, private disclosure of a potential vulnerability to ASSA ABLOY. Once the vulnerability is validated, resolved and ASSA ABLOY and its customers provided a reasonable time to deploy, ASSA ABLOY coordinates the public disclosure, which includes the recognition of the security researcher's discovery, confirming that credit is given to the right person(s). We also ask that researchers recognize that our action to investigate, validate and remediate reported vulnerabilities varies based on complexity and severity. We will communicate expected timelines, changes and collaborate where possible. In addition, we request that researchers do not perform Denial of Service mechanisms, compromise ASSA ABLOY user infrastructure or personal information.
 
Like other leading companies, ASSA ABLOY applies industry best practices for coordinated disclosure of vulnerabilities to protect the security ecosystem, ensure that customers get the highest quality information, and drive public discourse about ways to improve products, protocols, methodologies, standards, and solutions.

Call to Action

If you believe you have discovered a vulnerability, contact ASSA ABLOY Group Product Security Center to report your finding privately, using the email address: productsecurity@assaabloy.com.
Please encrypt your email with PGP and this public key.

Please include, if possible, the information below in your email report:

  • Any contact details (i.e., Signal, WhatsApp, or other communicators account)
  • Company name
  • Preferred email contact
  • General description of the vulnerability
  • The product containing vulnerability (hardware & software versions), part numbers
  • Tools, hardware, and other configurations required to trigger the event
  • Any security or service pack updates applied
  • Document instructions to reproduce the event
  • Sample code, proof of concept, or executable used to produce the event
  • Definition of how the vulnerability will impact a user, including how the attacker could breach security on-site
  • Affected product
  • System Details (develop for a range of ASSA ABLOY Group products)
  • Technical description and steps to reproduce
  • PoC (link)
  • Other parties and products involved
  • Disclosure plans/dates/drivers
  • What was the purpose and scope of research being performed when found (context)?
Experience a safer and more open world