Disclosure Policy

ASSA ABLOY Opening Solutions Americas and/or any of its group companies (together or individually, “ASSA ABLOY Americas”) believes that the disclosure of vulnerabilities is essential to improving the quality of our products and services. ASSA ABLOY Americas values the insights of the security research community and welcomes disclosure and collaboration.

Through our responsible disclosure process ASSA ABLOY Americas will work with security researchers and other vulnerability investigators to make our products and services more secure by providing a mechanism to privately report vulnerabilities with legitimacy and integrity. Responsible disclosure ensures that security infrastructure is tested and proven reliable. This process allows us to work collaboratively with the researchers to identify and mitigate vulnerabilities quickly in an ever-changing security environment.

The following is ASSA ABLOY Americas responsible disclosure policy:

  • ASSA ABLOY Americas will disclose known vulnerabilities and their fixes to its customers in a manner that protects the end-users of our products. Disclosures made by ASSA ABLOY Americas will include credit to the person who first identified the vulnerability, unless they request otherwise.
  • ASSA ABLOY Americas is open to communication and working with security researchers who come to ASSA ABLOY Americas with a shared interest to improve security and coordinate the distribution of information, including both the vulnerability and the solution that addresses it.
  • ASSA ABLOY Americas does not have a bounty program nor a monetary award for the researcher, however ASSA ABLOY Americas will provide credit and publicly acknowledge in a written advisory, the work of a security researcher who privately brings the company valid information about a vulnerability and then works with ASSA ABLOY Americas to coordinate the public announcement after a fix or patch has been developed and tested.
  • Security researchers are allowed to post a link to the ASSA ABLOY Americas advisory on their own web sites as recognition for helping minimize risks and helping end-users protect themselves.

We ask the security researcher community to work with ASSA ABLOY Americas to coordinate the public disclosure of a vulnerability. Prematurely revealing a vulnerability publicly without first notifying ASSA ABLOY Americas could hurt end-users, exposing sensitive information and putting people and organizations in danger of malicious attacks.

To that end, ASSA ABLOY strongly advocates a two-step process: first, private disclosure of a potential vulnerability to ASSA ABLOY. Once the vulnerability is validated and resolved, ASSA ABLOY Americas coordinates the public disclosure, which includes the recognition of the security researcher’s discovery, confirming that credit is given to the right person(s).

We ask that researchers recognize that our actions to investigate, validate and remediate reported vulnerabilities vary based on complexity and severity. We will communicate expected timelines, changes and collaborate where possible.  Additionally, we request that researchers not perform Denial of Service tools or compromise ASSA ABLOY Americas user infrastructure or personal; information while performing testing or evaluation.  If this kind of testing is necessary, we request they contact us, so that we may provide testable products in a non-production environment for such purposes where reasonably possible.

Like other leading companies, ASSA ABLOY Americas applies industry best practices for coordinated disclosure of vulnerabilities to protect the security ecosystem, ensuring that customers get the highest quality information, drive public discourse about ways to improve products, protocols, methodologies, standards and solutions.

As part of its responsible disclosure program, ASSA ABLOY Americas is seeking relationships with security researchers who adhere to a coordinated, shared responsibility approach to publicly disclosing a vulnerability. ASSA ABLOY Americas invites security researchers and other vulnerability investigators to join us in this effort.

CALL TO ACTION

If you believe you have discovered a vulnerability, click on the “Reporting Guidelines” tab in this ASSA ABLOY Security Resources Center for instructions on how to privately submit your findings to the ASSA ABLOY Security Response Team, or you can connect with us directly at security@assaabloy.com

 

Appendix

ASSA ABLOY Americas Brands participating in the Responsible Disclosure Policy

Adams Rite

Alarm Controls

Corbin Russwin

Emtek

HES

LuxerOne

Markar

McKinney

Medeco

Norton Door Controls

Pemko

Rixson

Rockwood

Sargent

Securitron

Yale (Commercial)