Jabra Security Center - Jabra's commitment to Product Security
Jabra's commitment to Product Security
At Jabra, we take security and privacy seriously and we commit to doing our best to secure our products and maintaining our customers' trust. As part of this commitment, Jabra will release the appropriate and necessary updates to address security related issues, for enterprise-grade devices in relevant product families for up to five (5) years from product launch and covering as a minimum the period of warranty.
Product Vulnerability Disclosure Policy
Introduction
Jabra is committed to the security and assurance of all our products and services and therefore, we acknowledge the importance and key role that independent security researchers play in helping to protect systems and data. With the intention of supporting this goal, Jabra welcomes the disclosing persons to disclose any vulnerability found in our products so our teams can collaborate and coordinate a security fix.
This policy describes how Jabra manages the vulnerability disclosures and the different considerations that need to be made when reporting them in a responsible way.
Scope
The Product Vulnerability Disclosure Policy addresses all products and services sold under the Jabra brand, including software and hardware. However, certain types of vulnerabilities are out of scope, and they include:
- No longer supported products, including outdated software.
- Suggestion on configuration management and/or misconfigurations based on best practices.
- Weak TLS/SSL configuration and certificates, including insecure cipher suites.
- UI/UX bugs.
Our product vulnerability policy is designed to address vulnerabilities within our own products. Any vulnerabilities related to third-party vendors fall outside of this policy and should be reported directly to the vendor according to their disclosure policy (if any).
Compliance with the policy
If the policy is followed and adhered to as described, Jabra will not pursue civil action or support any legal action related to your security research activity for accidental, good faith violations of this policy, or initiate a complaint to law enforcement for unintentional violations.
We encourage you to contact us - using the contact information below - for clarification before engaging in conduct that may be inconsistent with or unaddressed by the policy.
Guidelines
When trying to exploit a potential vulnerability, you must always consider the following conditions:
- Do not disrupt or perform actions that may negatively affect Jabra or our customers (denial of service, use malware…).
- Do not attempt to access any Jabra data, information, or systems.
- Do not modify, corrupt, or destroy -or attempt to do so- Jabra's data, information or systems, or any data that might compromise the privacy or safety of Jabra's customers or third parties.
- Do not social engineer any Jabra employee or personnel related to the company in any way.
- Do not violate any laws or breach any agreements in order to discover a vulnerability.
- Do not disclose the vulnerability to the public or third parties before following the process explained below.
Reporting a vulnerability
If you believe you have discovered a security vulnerability affecting a Jabra product or service, please submit a vulnerability report via email to security-center@jabra.com with the following information:
- Detailed description of the suspected vulnerability, including the type of issue, product and version affected, date of discovery and any potential configuration applied to the product.
- Step-by-step instructions required to reproduce the vulnerability. If possible, provide screenshots or any other media that supports the process.
- Any additional information that might be of help when assessing the vulnerability.
If Personal Identifiable Information (PII) or any other confidential information is disclosed, report it to us while complying with applicable laws, i.e. limit your access to PII and any other confidential information and refrain from storing, saving, or transferring the data.
Upon receival, Jabra will acknowledge the report in a timely manner, and we will start investigating it to confirm the existence of the vulnerability. In this regard, an open confidential dialogue will be encouraged, and we might request additional information from you to help with the resolution.
Due to business needs and engineering priorities, Jabra will need reasonable time to address any reported vulnerability. Our security team diligently assesses vulnerabilities based on severity, exploitability, and potential impact. While we strive for timely patch releases, the prioritization process ensures that critical vulnerabilities receive immediate attention. Less severe vulnerabilities may follow a different timeline. Different product models may have unique architectures, firmware versions, and underlying technologies. Consequently, the development and testing of security patches can vary. We commit to addressing vulnerabilities across all affected models but acknowledge that delivery times may differ. Security patches might require patch input from third party vendors that might have an effect on overall timeline of mitigating vulnerabilities.
Our team will be as transparent as possible to let you know the status of the investigation itself and the potential fix, if appropriate.
Public acknowledgement, notification, and compensation
Keep in mind that our customers' security is a priority and therefore, we need to give them enough time to apply any fix that has been developed to remediate the vulnerability. In that regard, we request you not to disclose publicly any information about the vulnerability until the whole process has been completed, including the release of the fix and the notification to our customers, if required.
Whenever applicable and necessary, Jabra will coordinate with you on a public notification of the validated vulnerability. Currently, be informed that Jabra doesn't offer any monetary compensation nor bug bounty program for discovered vulnerabilities but an acknowledgment to the reporting person can be posted together with the security advisory on this webpage.