Listed below are potential vulnerabilities raised against ERA products, software and services. In addition to the issues raised are the actions taken by ERA Home Security Ltd.
|Date Raised||Vulnerability||Date of Response||ERA Response|
ERA Vulnerability Disclosure
At ERA, we take the security of our products and services seriously, so it is immensely useful for us to get any feedback from researchers that can help develop our services. We operate a reporting procedure for the responsible disclosure of any security vulnerabilities. If you are involved with security research, please find details below.
How to report a suspected security vulnerability
If you believe you’ve found a potential vulnerability, please let us know by filling out the responsible disclosure form below and give us as much detail as possible. Please do not make any information about any vulnerabilities public or do anything else that may put our customers’ data or our intellectual property at risk, or degrade our systems.
What actions will we take?
We will acknowledge your disclosure form and review the reported issue. Software – we will investigate, and if an issue is identified we will disclose this. We aim to have the vulnerability resolved within 90 days of us being notified, and advise of any follow up activity required. The table above will be updated during the investigation. Hardware – we will investigate, and if an issue if identified we will disclose this. On conclusion of the investigation, we will provide an estimated time to resolve the vulnerability, and any follow up activity required. The table above will be updated during the investigation.
Activity that we do not allow
We do not allow any activity that may interfere with customers using our services, or any activity that may result in the modification, deletion or unauthorised disclosure of our intellectual property or personal customer data. Please find specific examples of this below:
- Public disclosure of personal, proprietary or financial information
- The modification or deletion of data that isn’t yours
- Interruption, degradation or outage to services (like Denial of Service attacks)
- Spamming / social engineering / phishing attacks
- Physical exploits and/or attacks on our infrastructure
- Local network-based attacks such as DNS poisoning or ARP spoofing
Vulnerability disclosures that are out of scope of our vulnerability disclosure policy
- Accessible non-sensitive files and directories (e.g. README.txt, robots.txt, etc.)
- Fingerprinting / banner / version disclosure of common / public services
- Username / email enumeration by brute forcing or by inference of certain error messages – except in exceptional circumstances (e.g. the ability to
enumerate email addresses by incrementing a variable)