Responsible Disclosure Policy
We at ERA Home Security believe the disclosure of vulnerabilities is essential, as they help us to improve the quality of our products and services. ERA values the security research community and welcomes their insights, disclosure and collaboration.
We will work with security researchers, and other professionals to make our products and services more secure by allowing private reports of vulnerabilities.
The disclosure must be made legitimately and with integrity.
Disclosures completed responsibly ensures that our security infrastructure is tested and proven reliable.
This process allows ERA to work with the researchers to identify and mitigate disclosed vulnerabilities efficiently.
The following is ERA Home Security responsible disclosure policy:
• ERA will disclose known vulnerabilities and fixes to our customers in a manner that protects end-users of our products. Disclosures will include credit to the person/people/group who first identified the vulnerability, unless they request to remain anonymous.
• ERA does not provide reward by way of money or gift to the researcher, nor do we have a bounty program. ERA will provide credit and acknowledge publicly the work of a researcher which brings us valid information about a vulnerability. We will then coordinate the public announcement after a fix or patch has been developed and tested.
• Security researchers are authorised to post link to the ERA vulnerability disclosure page to their own websites as recognition for helping end-users to protect themselves.
• We ask security experts/researchers to work with us and coordinate the public disclosure of a vulnerability. Notifying end-users with first notifying ERA could harm end-users, exposing information and putting people and organsations in danger or malicious acts.
ERA propose the following process:
1. Private disclosure of the potential vulnerability to ERA Home Security, allowing the vulnerability to be validated and resolved.
2. Public disclosure is coordinated by us, including the recognition of the discovery by the security researcher(s), confirming credit is given to the person/people/group.
Security researchers are reminded that our actions to investigate, validate and resolve reported vulnerabilities will vary based on the disclosures severity and complexity.
We will communicate with you on a regular basis, advising of expected timelines and any change, we will seek to collaborate if and/or when possible.
We request researchers to not use tools where ERA’s infrastructure or data is compromised while performing testing or evaluation.
If required, please contact us so we can negotiate a safe environment for this type of testing.
ERA apply the industries best practices for the coordinated disclosure of vulnerabilities to protect our infrastructures, and eco-system, thus ensuring customers and end-users receive the highest quality information on how we improve products, protocols, standards and solutions.
As part of our responsible disclosure policy, we do seek relationships with security researchers who adhere to a shared responsible approach to disclosing vulnerabilities.
Please contact us if this is of interest to you.
Vulnerability Disclosure Process
If you believe that you have discovered a vulnerability, please send an email to vulnerability.disclosure@eraprotect.com and ensure the following information is provided:
• First and last name
• Company name
• Contact telephone number (optional)
• Description of vulnerability
• Product(s) containing vulnerability
o Hardware version
o Software version
o Part numbers
• Documented steps to reproduce the event(s)
• Provide sample code
• Document the impact of the vulnerability
• System details
• Proof of concept link
• Details of other parties involved
• Disclosure plans
• What was the scope and performance of the research when the potential vulnerability was discovered?
.
Listed below are the vulnerabilities and potential vulnerabilities disclosed to ERA Home Security:
Software (App & Platform)
| Risk Level | Time to Confirm | Time to Fix |
|---|---|---|
| Low | Within 24 Hours | Within 90 Days |
| Medium | Within 12 Hours | Within 60 Days |
| High | Within 6 Hours | Within 30 Days |
Hardware & Firmware
| Risk Level | Time to Confirm | Time to Fix |
|---|---|---|
| Low | Within 30 Days | Within 90 Days |
| Medium | Within 30 Days | Within 60 Days |
| High | Within 30 Days | Within 30 Days |
The timelines above are indicative depending on the issue raised and investigation required. Once this has been completed, we will provide a further update on the timescale needed to resolve the issue. The disclosure table above will be updated on a regular basis, until the issue is marked as closed.
Activity that we do not allow
We do not allow any activity that may interfere with customers using our services, or any activity that may result in the modification, deletion or unauthorised disclosure of our intellectual property or personal customer data. Please find specific examples of this below:
- Public disclosure of personal, proprietary or financial information
- The modification or deletion of data that isn’t yours
- Interruption, degradation or outage to services (like Denial of Service attacks)
- Spamming / social engineering / phishing attacks
- Physical exploits and/or attacks on our infrastructure
- Local network-based attacks such as DNS poisoning or ARP spoofing
Vulnerability disclosures that are out of scope of our vulnerability disclosure policy.
- Accessible non-sensitive files and directories (e.g. README.txt, robots.txt, etc.)
- Fingerprinting / banner / version disclosure of common / public services
- Username / email enumeration by brute forcing or by inference of certain error messages – except in exceptional circumstances (e.g. the ability to enumerate email addresses by incrementing a variable)
Responsible Disclosure Policy
Listed below are the vulnerabilities and potential vulnerabilities disclosed to ERA Home Security:
| Date Raised | Product | Vulnerability | Date of response | Resolution | Resolution date |
|---|---|---|---|---|---|
| 7th January 2019 | ERA Floodlight Camera & ERA Outdoor Camera | Camera remained connected to external service after removal from account and based on data traffic analysis, the camera continues to transmit UDP traffic externally and the rate of traffic is the same as when connected to the account | 15th January 2019 | Updated FAQ and QSG for Camera to be hard reset when deleted from account. | 20/04/2019 |
| 7th January 2019 | ERA Floodlight Camera &ERA Outdoor Camera | Basic authentication is done in http; also, the Camera reveal sensitive information relating to ID, MAC and internal IP address in plain communication. | 15th January 2019 | Authentication now done in https and all sensitive data encrypted - Firmware fix: | 20/04/2019 |
| 7th January 2019 | ERA Floodlight Camera & ERA Outdoor Camera
| Camera sends snapshot image to S3 in clear texts along with AWS access key in clear text | 15th January 2019 | Backend fix and firmware fix | 20/04/2019 |
| 11th January 2023 | ERA Infrastructure | During internal audit, it was seen that some of our servers were still running on TLS1.1 | 20th January 2023 | Updated all our servers and services to TLS 1.2 | 29/01/2023 |
| 6th February 2023 | ERA TouchKey/ERA TouchKey module | During audit with BSI the remote operation of the lock was captured and replayed at the frequency 866 MHz it was possible to open the lock without the use of the mobile application | 28th February 2023 | Module firmware updated to resolve the issue. ERA_5s_pcb3_v2 was tested and released | 12/03/2023 |
| 6th February 2023 | ERA Protect Alarm | ERA 3555116 Audit stage One 1.0) the following ciphers supported by the hub were classed as weak at the time of the test (ciphers listed in report 355516) | 28th February 2023 | Released new Hub firmware that supported TLS 1.2 and above. | 12/03/2023 |
| 6th February 2023 | ERA Infrastructure | The following vulnerabilities were identified at NIST Vulnerability Database at the time of the test: • nrf5_SDK o CVE-2021-29415 • Corehttp o CVE-2007-4060 o CVE-2009-3586 • lwip o CVE-2020-22283 | Nrf5_sdk: There is not path available to fix this. The Risk is reduced by the fact that AWS authentication is required for all lock operations. We are working with suppliers and once there is a fix patch will be applied as soon as it is released. Core-http: Not affected with our version and this was accepted by BSI in an earlier audit. Lwip: We have fixed the issue with a non-formal release of the library. | Monitoring and will be reviewed when patch is delivered. |