As part of our commitment to our customers, we take cybersecurity issues very seriously. If you believe you have found a vulnerability in our products, we want to hear from you. This policy describes how to report potential security vulnerabilities in SimpliSafe products, the systems covered under this policy, and our process for security researchers to report a suspected vulnerability. 

We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered—as set out in this policy—so we can fix them and keep our users safe. If you demonstrably comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly and SimpliSafe will not recommend or pursue legal action related to your research. If you have any questions, please reach out to us before starting your research. 

Scope

This policy applies to the following systems (purchased yourself) on the latest firmware:

• Base Station version 3 & Keypad

• Smart Lock & Pin Pad

• SimpliCam Indoor Camera

• Video Doorbell Pro

• Wireless Outdoor Camera

• Smart Alarm™ Indoor Camera

• Simplisafe.com and the following subdomains: 

  • webapp.simplisafe.com

  • api.simplisafe.com

• SimpliSafe Home Security App from the iOS App Store

• SimpliSafe Home Security App from the Google Play Store

Any services or products not expressly listed above, including without limitation any other subdomain of simplisafe.com and third party connected services, are excluded from the scope and are not authorized for testing.

We do not allow and will not review submissions based on brute force authentication requests, denial of service, social engineering, physical attacks, or minor website misconfigurations such as 404 codes and others.

Any vulnerabilities found in our vendors’ products, e.g., third party software libraries, fall outside this policy’s scope and should be reported directly to the vendor according to their vulnerability disclosure policy. If you aren’t sure whether a system or endpoint is in scope or not, contact us at security@simplisafe.com before starting your research.

Conditions

We ask that you:

1. Report new, unique vulnerabilities: This helps us focus on fixing the most impactful risks to our customers. Do not submit a high volume of low-quality/low-risk reports.

2. Don’t knock over systems or exfiltrate data: Only go as far as needed to confirm a vulnerability’s presence. Once you have obtained enough information to indicate a security issue, please do not try to establish persistence, target, enumerate, or exfiltrate any internal data, establish command-line access, use a vulnerability to pivot to other systems, test the physical security of box offices, employees, equipment or otherwise compromise or disrupt any systems or user information. Stop your test and notify only SimpliSafe, immediately, if you encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party).

3. Respect other users: Do not: violate any user’s privacy, access or attempt to access data that does not belong to you; cause any degradation of user experience, conduct non-technical attacks (e.g., social engineering, phishing or unauthorized access to infrastructure and employees of SimpliSafe) or perform any actions that may negatively affect SimpliSafe or its users; cause disruption to production systems, and exposure, destruction or manipulation of data.

4. Collaborate: Collaborate with us only through our coordinated disclosure process as soon as a vulnerability is identified. The email address and optional PGP key are available below.

5. Notify us (steps below) as soon as you discover a real or potential security issue with our system. We want to promptly address these issues and ask that timely notice to us not be sacrificed while you may be conducting further research, e.g., on other products.

6. Provide us a reasonable amount of time to resolve the issue before you disclose it publicly. 90 calendar days from receipt by us (software, including cloud-based systems and mobile apps) or 120 calendar days from receipt by us (hardware, firmware, and wireless).

How to Submit a Vulnerability

You should report potential vulnerabilities to us via email at security@simplisafe.com. For sensitive information, we encourage you to encrypt your message using our PGP key: 0x7A54DAA351B4E054.

For all reports, please include:

• A detailed description of the purported vulnerability and the steps required to reproduce it, including any settings or modifications applied. Proof of concept (POC) scripts, screenshots, and photos are all helpful. In the body of your email, please identify any files which contain exploit code.

• Technical information related to the issue, including:

  • For hardware systems:

    • The model and serial number of all components tested

    • Information on system versions and configuration (e.g. paired sensors)

    • Information on how the system was acquired (e.g. from SimpliSafe.com, a third-party reseller)

  • For software, web, and mobile:

    • Mobile application version

    • Device type, operating system version, browser version

When you disclose a suspected vulnerability to us, we will acknowledge receipt of your communication and follow-up with you by email. We will make all reasonable efforts to communicate quickly and proactively and ask that you do the same. By reporting a security bug or vulnerability, you give us the right to use your report for any purpose.

What to Expect When You Report a Vulnerability

Timeline

SimpliSafe is committed to resolving suspected vulnerabilities within 90 calendar days of receipt by us (software, including cloud-based systems and mobile apps) or 120 calendar days of receipt by us (hardware, firmware, and wireless) of the related security research.

Within this window, we will investigate the vulnerability and if verified, we will issue a patch to address it. If a patch is not feasible in our sole discretion, we will determine how best to inform customers of recommended mitigations. We will provide relevant updates and request your feedback as needed during our investigation.

Public Disclosure

As set out in the guidelines above, to comply with this policy we ask that you refrain from sharing your report about SimpliSafe with others prior to submitting it to us and while we investigate the suspected vulnerability and potentially work on a patch or other resolution. Please raise any SimpliSafe issues with us before you make a disclosure.

We will inform you when we finalize our findings after the vulnerability is resolved. To comply with this policy, we require that you link to SimpliSafe’s findings alongside your findings in any blog posts, public reports, presentations or any other public statements on the matter. Other than potentially listing an overall timeline regarding the vulnerability you brought to our attention, we will not publish information about you or our communications with you without your permission. If you wish to be recognized, we will thank you by name or handle in our advisory. SimpliSafe does not credit employees or contractors of SimpliSafe and its subsidiaries for vulnerabilities they have found.

To the extent this policy refers to a “vulnerability” or “vulnerabilities,” it is intended and understood that all such references mean potential or suspected vulnerabilities, whether so stated or not, until such vulnerability has been investigated and confirmed by SimpliSafe. Whether to recognize the disclosure of a vulnerability and the timing of the recognition is entirely at our discretion, and we may cancel the program at any time. Your testing must not violate any laws.

Policy Changes

Last Updated: August 19, 2020

SimpliSafe may cancel this program or change this policy at any time. Please review the current version of policy at this address before performing any vulnerability testing or taking any other
action based on the policy.