Responsible Disclosure Policy

We at ERA Home Security believe the disclosure of vulnerabilities is essential, as they help us to improve the quality of our products and services. ERA values the security research community and welcomes their insights, disclosure and collaboration.

We will work with security researchers, and other professionals to make our products and services more secure by allowing private reports of vulnerabilities.

The disclosure must be made legitimately and with integrity. Disclosures completed responsibly ensures that our security infrastructure is tested and proven reliable.

This process allows ERA to work with the researchers to identify and mitigate disclosed vulnerabilities efficiently.

The following is ERA Home Security responsible disclosure policy:

• ERA will disclose known vulnerabilities and fixes to our customers in a manner that protects end-users of our products. Disclosures will include credit to the person/people/group who first identified the vulnerability, unless they request to remain anonymous.

• ERA does not provide reward by way of money or gift to the researcher, nor do we have a bounty program. ERA will provide credit and acknowledge publicly the work of a researcher which brings us valid information about a vulnerability. We will then coordinate the public announcement after a fix or patch has been developed and tested.

• Security researchers are authorised to post link to the ERA vulnerability disclosure page to their own websites as recognition for helping end-users to protect themselves.

• We ask security experts/researchers to work with us and coordinate the public disclosure of a vulnerability. Notifying end-users with first notifying ERA could harm end-users, exposing information and putting people and organsations in danger or malicious acts.

ERA propose the following process:

1. Private disclosure of the potential vulnerability to ERA Home Security, allowing the vulnerability to be validated and resolved.

2. Public disclosure is coordinated by us, including the recognition of the discovery by the security researcher(s), confirming credit is given to the person/people/group.

Security researchers are reminded that our actions to investigate, validate and resolve reported vulnerabilities will vary based on the disclosures severity and complexity.

We will communicate with you on a regular basis, advising of expected timelines and any change, we will seek to collaborate if and/or when possible. We request researchers to not use tools where ERA’s infrastructure or data is compromised while performing testing or evaluation.

If required, please contact us so we can negotiate a safe environment for this type of testing.

ERA apply the industries best practices for the coordinated disclosure of vulnerabilities to protect our infrastructures, and eco-system, thus ensuring customers and end-users receive the highest quality information on how we improve products, protocols, standards and solutions.

As part of our responsible disclosure policy, we do seek relationships with security researchers who adhere to a shared responsible approach to disclosing vulnerabilities.

Please contact us if this is of interest to you. Vulnerability Disclosure Process If you believe that you have discovered a vulnerability, please send an email to and ensure the following information is provided:

• First and last name
• Company name
• Contact telephone number (optional)
• Description of vulnerability
• Product(s) containing vulnerability o Hardware version o Software version o Part numbers
• Documented steps to reproduce the event(s)
• Provide sample code
• Document the impact of the vulnerability
• System details
• Proof of concept link
• Details of other parties involved
• Disclosure plans
• What was the scope and performance of the research when the potential vulnerability was discovered? .

Listed below are the vulnerabilities and potential vulnerabilities disclosed to ERA Home Security:

Software (App & Platform)

Risk LevelTime to ConfirmTime to Fix
LowWithin 24 HoursWithin 90 Days
MediumWithin 12 HoursWithin 60 Days
HighWithin 6 Hours
Within 30 Days

Hardware & Firmware

Risk LevelTime to ConfirmTime to Fix
LowWithin 30 DaysWithin 90 Days
MediumWithin 30 DaysWithin 60 Days
HighWithin 30 Days
Within 30 Days

The timelines above are indicative depending on the issue raised and investigation required. Once this has been completed, we will provide a further update on the timescale needed to resolve the issue. The disclosure table above will be updated on a regular basis, until the issue is marked as closed.

Activity that we do not allow
We do not allow any activity that may interfere with customers using our services, or any activity that may result in the modification, deletion or unauthorised disclosure of our intellectual property or personal customer data. Please find specific examples of this below:

  • Public disclosure of personal, proprietary or financial information
  • The modification or deletion of data that isn’t yours
  • Interruption, degradation or outage to services (like Denial of Service attacks)
  • Spamming / social engineering / phishing attacks
  • Physical exploits and/or attacks on our infrastructure
  • Local network-based attacks such as DNS poisoning or ARP spoofing

Vulnerability disclosures that are out of scope of our vulnerability disclosure policy.

  • Accessible non-sensitive files and directories (e.g. README.txt, robots.txt, etc.)
  • Fingerprinting / banner / version disclosure of common / public services
  • Username / email enumeration by brute forcing or by inference of certain error messages – except in exceptional circumstances (e.g. the ability to enumerate email addresses by incrementing a variable)

Responsible Disclosure Policy

Listed below are the vulnerabilities and potential vulnerabilities disclosed to ERA Home Security:

Date RaisedProductVulnerabilityDate of responseResolutionResolution date
7th January 2019ERA Floodlight Camera & ERA Outdoor Camera Camera remained connected to external service after removal from account and based on data traffic analysis, the camera continues to transmit UDP traffic externally and the rate of traffic is the same as when connected to the account15th January 2019Updated FAQ and QSG for Camera to be hard reset when deleted from account.20/04/2019
7th January 2019ERA Floodlight Camera &ERA Outdoor Camera Basic authentication is done in http; also, the Camera reveal sensitive information relating to ID, MAC and internal IP address in plain communication.15th January 2019Authentication now done in https and all sensitive data encrypted - Firmware fix:20/04/2019
7th January 2019ERA Floodlight Camera & ERA Outdoor Camera
Camera sends snapshot image to S3 in clear texts along with AWS access key in clear text15th January 2019Backend fix and firmware fix20/04/2019
11th January 2023ERA InfrastructureDuring internal audit, it was seen that some of our servers were still running on TLS1.120th January 2023Updated all our servers and services to TLS 1.2 29/01/2023
6th February 2023ERA TouchKey/ERA TouchKey moduleDuring audit with BSI the remote operation of the lock was captured and replayed at the frequency 866 MHz it was possible to open the lock without the use of the mobile application 28th February 2023Module firmware updated to resolve the issue. ERA_5s_pcb3_v2 was tested and released 12/03/2023
6th February 2023ERA Protect Alarm ERA 3555116 Audit stage One 1.0) the following ciphers supported by the hub were classed as weak at the time of the test (ciphers listed in report 355516) 28th February 2023 Released new Hub firmware that supported TLS 1.2 and above.12/03/2023
6th February 2023ERA Infrastructure The following vulnerabilities were identified at NIST Vulnerability Database at the time of the test: • nrf5_SDK o CVE-2021-29415 • Corehttp o CVE-2007-4060 o CVE-2009-3586 • lwip o CVE-2020-22283 Nrf5_sdk: There is not path available to fix this. The Risk is reduced by the fact that AWS authentication is required for all lock operations. We are working with suppliers and once there is a fix patch will be applied as soon as it is released. Core-http: Not affected with our version and this was accepted by BSI in an earlier audit. Lwip: We have fixed the issue with a non-formal release of the library.Monitoring and will be reviewed when patch is delivered.
Drop element here