Vulnerability Disclosure

Listed below are potential vulnerabilities raised against ERA products, software and services. In addition to the issues raised are the actions taken by ERA Home Security Ltd.

Date RaisedVulnerabilityDate of Response
6th November 2019SSL cookie without secure flag set - responseelectronics.com
7th November 2019Vulnerable version of the library 'jquery' found – eraeverywhere.com
11th November 2019Vulnerable version of the library 'jquery' found - responseelectronics.com
11th November 2019Account takeover using CSRF - responseelectronics.com
11th November 2019Cookie without Http Only flag set – responseelectronics.com
11th November 2019Cookie without Http Only flag set – eraeverywhere.com
11th November 2019Cookies were issued by the application and do not have the secure flag set – eraeverywhere.com
11th November 2019Vulnerable version of the library 'angularjs' found – eraeverywhere.com

ERA Vulnerability Disclosure

At ERA, we take the security of our products and services seriously, so it is immensely useful for us to get any feedback from researchers that can help develop our services. We operate a reporting procedure for the responsible disclosure of any security vulnerabilities. If you are involved with security research, please find details below.

How to report a suspected security vulnerability
If you believe you’ve found a potential vulnerability, please let us know by filling out the responsible disclosure form below and give us as much detail as possible. Please do not make any information about any vulnerabilities public or do anything else that may put our customers’ data or our intellectual property at risk, or degrade our systems.

What actions will we take?
We will acknowledge your disclosure form and review the reported issue. Software – we will investigate, and if an issue is identified we will disclose this. We aim to have the vulnerability resolved within 90 days of us being notified, and advise of any follow up activity required. The table above will be updated during the investigation. Hardware – we will investigate, and if an issue if identified we will disclose this. On conclusion of the investigation, we will provide an estimated time to resolve the vulnerability, and any follow up activity required. The table above will be updated during the investigation.

Activity that we do not allow
We do not allow any activity that may interfere with customers using our services, or any activity that may result in the modification, deletion or unauthorised disclosure of our intellectual property or personal customer data. Please find specific examples of this below:

  • Public disclosure of personal, proprietary or financial information
  • The modification or deletion of data that isn’t yours
  • Interruption, degradation or outage to services (like Denial of Service attacks)
  • Spamming / social engineering / phishing attacks
  • Physical exploits and/or attacks on our infrastructure
  • Local network-based attacks such as DNS poisoning or ARP spoofing

Vulnerability disclosures that are out of scope of our vulnerability disclosure policy

  • Accessible non-sensitive files and directories (e.g. README.txt, robots.txt, etc.)
  • Fingerprinting / banner / version disclosure of common / public services
  • Username / email enumeration by brute forcing or by inference of certain error messages – except in exceptional circumstances (e.g. the ability to
        enumerate email addresses by incrementing a variable)

Reporting form

Attachments

If you have any attachments/ screenshots etc. to send, please email those to support@eraprotect.com