How do I report a possible vulnerability or security issue?
Updated
We take cybersecurity issues very seriously. If you believe you have found a vulnerability in our products, we want to hear from you. This policy describes how to report potential security vulnerabilities in SimpliSafe products, the systems covered under this policy, and our process to report a suspected vulnerability.
We want you to feel comfortable reporting vulnerabilities they’ve discovered—as set out in this policy—so we can fix them and keep our users safe. If you discover a vulnerability, you may email security@simplisafe.com. You are not required to include any personal information when reporting a security vulnerability.
Upon receipt, we aim to respond to issues related to product security within 5 business days. If necessary, we may also provide quarterly status updates or you may request a status update at any time by emailing security@simplisafe.com.
For general product issues or complaints please visit https://support.simplisafe.com/en_GB.
Click here to view our Statement of Conformity for all applicable products for sale on the UK market.
If you are a security researcher and comply with the following, we will consider your research to be authorised and will work with you to understand and resolve issues quickly and SimpliSafe will not recommend or pursue legal action related to your research. If you have any questions, please reach out to security@simplisafe.com before starting your research.
Scope
This policy applies to the following systems (purchased yourself) on the latest firmware:
SimpliSafe Base Station [SSBS3]
Wireless Indoor Camera [CM006]
Wireless Outdoor Camera [CMOB1]
Video Doorbell Pro [SSDB3]
Wired Indoor Camera [SSCM1 and SSCM2]
Simplisafe.com, simplisafe.co.uk and the following subdomains:
SimpliSafe Home Security App from the iOS App Store
SimpliSafe Home Security App from the Google Play Store
Any services or products not expressly listed above, including without limitation any other subdomain of simplisafe.com or simplisafe.co.uk and third party connected services, are excluded from the scope and are not authorised for testing.
We do not allow and will not review submissions based on brute force authentication requests, denial of service, social engineering, physical attacks, or minor website misconfigurations such as 404 codes and others.
Any vulnerabilities found in our vendors’ products, e.g., third party software libraries, fall outside this policy’s scope and should be reported directly to the vendor according to their vulnerability disclosure policy. If you aren’t sure whether a system or endpoint is in scope or not, contact us at security@simplisafe.com before starting your research.
Conditions
We ask that you:
Report new, unique vulnerabilities: This helps us focus on fixing the most impactful risks to our customers. Do not submit a high volume of low-quality/low-risk reports.
Don’t knock over systems or exfiltrate data: Only go as far as needed to confirm a vulnerability’s presence. Once you have obtained enough information to indicate a security issue, please do not try to establish persistence, target, enumerate, or exfiltrate any internal data, establish command-line access, use a vulnerability to pivot to other systems, test the physical security of box offices, employees, equipment or otherwise compromise or disrupt any systems or user information. Stop your test and notify only SimpliSafe, immediately, if you encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party).
Respect other users: Do not: violate any user’s privacy, access or attempt to access data that does not belong to you; cause any degradation of user experience, conduct non-technical attacks (e.g., social engineering, phishing or unauthorized access to infrastructure and employees of SimpliSafe) or perform any actions that may negatively affect SimpliSafe or its users; cause disruption to production systems, and exposure, destruction or manipulation of data.
Collaborate: Collaborate with us only through our coordinated disclosure process as soon as a vulnerability is identified. The email address and optional PGP key are available below.
Notify us (steps below) as soon as you discover a real or potential security issue with our system. We want to promptly address these issues and ask that timely notice to us not be sacrificed while you may be conducting further research, e.g., on other products.
Provide us a reasonable amount of time to resolve the issue before you disclose it publicly. 90 calendar days from receipt by us (software, including cloud-based systems and mobile apps) or 120 calendar days from receipt by us (hardware, firmware, and wireless).
How to Submit a Vulnerability
You should report potential vulnerabilities to us via email at security@simplisafe.com. For sensitive information, we encourage you to encrypt your message using our PGP key: 0x7A54DAA351B4E054.
For all reports, please include:
A detailed description of the purported vulnerability and the steps required to reproduce it, including any settings or modifications applied. Proof of concept (POC) scripts, screenshots, and photos are all helpful. In the body of your email, please identify any files which contain exploit code.
Technical information related to the issue, including:
For hardware systems:
The model and serial number of all components tested
Information on system versions and configuration (e.g. paired sensors)
Information on how the system was acquired (e.g. from SimpliSafe.com, a third-party reseller)
For software, web, and mobile:
Mobile application version
Device type, operating system version, browser version
When you disclose a suspected vulnerability to us, we will acknowledge receipt of your communication and follow-up with you by email. We will make all reasonable efforts to communicate quickly and proactively and ask that you do the same. By reporting a security bug or vulnerability, you give us the right to use your report for any purpose.
What to Expect When You Report a Vulnerability
Timeline
SimpliSafe is committed to resolving suspected vulnerabilities within 90 calendar days of receipt by us (software, including cloud-based systems and mobile apps) or 120 calendar days of receipt by us (hardware, firmware, and wireless) of the related security research.
Within this window, we will investigate the vulnerability and if verified, we will issue a patch to address it. If a patch is not feasible in our sole discretion, we will determine how best to inform customers of recommended mitigations. We will provide relevant updates and request your feedback as needed during our investigation.
Public Disclosure
As set out in the guidelines above, to comply with this policy we ask that you refrain from sharing your report about SimpliSafe with others prior to submitting it to us and while we investigate the suspected vulnerability and potentially work on a patch or other resolution. Please raise any SimpliSafe issues with us before you make a disclosure.
We will inform you when we finalize our findings after the vulnerability is resolved. To comply with this policy, we require that you link to SimpliSafe’s findings alongside your findings in any blog posts, public reports, presentations or any other public statements on the matter. Other than potentially listing an overall timeline regarding the vulnerability you brought to our attention, we will not publish information about you or our communications with you without your permission. If you wish to be recognized, we will thank you by name or handle in our advisory. SimpliSafe does not credit employees or contractors of SimpliSafe and its subsidiaries for vulnerabilities they have found.
To the extent this policy refers to a “vulnerability” or “vulnerabilities,” it is intended and understood that all such references mean potential or suspected vulnerabilities, whether so stated or not, until such vulnerability has been investigated and confirmed by SimpliSafe. Whether to recognize the disclosure of a vulnerability and the timing of the recognition is entirely at our discretion, and we may cancel the program at any time. Your testing must not violate any laws.
Policy Changes
Last Updated: July 2024
SimpliSafe may cancel this program or change this policy at any time. Please review the current version of policy at this address before performing any vulnerability testing or taking any other
action based on the policy.