0345 257 2500
Vulnerability Disclosure
Last updated: 11th November 2019, 12:57pm GMT
Listed below are potential vulnerabilities raised against ERA products, software and services. In addition to the issues raised are the actions taken by ERA Home Security Ltd.
|
Date Raised |
Vulnerability |
Date of Response |
ERA Response |
|
|
|
|
|
|
6th November 2019 |
SSL cookie without secure flag set - responseelectronics.com |
|
|
|
7th November 2019 |
Vulnerable version of the library 'jquery' found – eraeverywhere.com |
|
|
|
11th November 2019 |
Vulnerable version of the library 'jquery' found - responseelectronics.com |
|
|
|
11th November 2019 |
Account takeover using CSRF - responseelectronics.com |
|
|
|
11th November 2019 |
Cookie without Http Only flag set – responseelectronics.com |
|
|
|
11th November 2019 |
Cookie without Http Only flag set – eraeverywhere.com |
|
|
|
11th November 2019 |
Cookies were issued by the application and do not have the secure flag set – eraeverywhere.com |
|
|
|
11th November 2019 |
Vulnerable version of the library 'angularjs' found – eraeverywhere.com |
|
|
ERA Vulnerability Disclosure - How to report
At ERA, we take the security of our products and services seriously, so it is immensely useful for us to get any feedback from researchers that can help develop our services.
We operate a reporting procedure for the responsible disclosure of any security vulnerabilities. If you are involved with security research, please find details below:
How to report a suspected security vulnerablity:
If you believe you’ve found a potential vulnerability, please let us know by filling out the responsible disclosure form below and give us as much detail about it as possible.
Please do not make any information about any vulnerabilities public or do anything else that may put our customers’ data or our intellectual property at risk. And do not degrade our systems.
What actions will we take?
We will acknowledge your disclosure form and review the reported issue. After investigation, if there is an issue, we will provide an estimate for how long a resolution will take.
Activity that we do not allow:
We do not allow any activity that may interfere with customers using our services, or any activity that may result in the modification, deletion or unauthorised disclosure of our intellectual property or personal customer data. Please find specific examples of this below:
- Public disclosure of personal, proprietary or financial information
- The modification or deletion of data that isn’t yours
- Interruption, degradation or outage to services (like Denial of Service attacks)
- Spamming / social engineering / phishing attacks
- Physical exploits and/or attacks on our infrastructure
- Local network-based attacks such as DNS poisoning or ARP spoofing
Vulnerability disclosures that are out of scope of our vulnerability disclosure policy:
- Accessible non-sensitive files and directories (e.g. README.txt, robots.txt, etc.)
- Fingerprinting / banner / version disclosure of common / public services
- Username / email enumeration by brute forcing or by inference of certain error messages – except in exceptional circumstances (e.g. the ability to enumerate email addresses by incrementing a variable)
