Coordinated Vulnerability Disclosure Policy
Sonos is committed to protect our customers' data and privacy by addressing vulnerability research in a timely and efficient manner. We recommend security researchers to follow this coordinated disclosure policy when reporting security vulnerabilities. The Security Vulnerability Response Team will be responsible for receiving and handling reports of vulnerabilities. This policy applies to parties who discover or report vulnerabilities in our products. This policy is based on and references techniques used in the ISO standard for Vulnerability Disclosure ISO/IEC 29147.
Requirements:
Under this policy, “vulnerability research” means activities in which security researchers:
- Notify Sonos Security Team as soon as possible after the new discovery of a real/potential security vulnerability.
- Make an effort in good faith to avoid privacy violations, preserve the user experience, prevent disruptions to production systems, and safeguard against the destruction or manipulation of data. Security testing that violates any law could lead to possible criminal or legal investigation. See Legal Issues and Protections section.
- Keep vulnerabilities private during the coordinated vulnerability disclosure time frame, while providing Sonos with a reasonable amount of time to resolve the issue before public disclosure.
Vulnerability Coverage:
This policy covers all vulnerabilities in Sonos's interconnected products, platforms, and the controlling mobile applications. This includes vulnerabilities in the firmware, mobile applications, and cloud services.
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorised for testing by Sonos. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you are not sure whether a system is in scope, contact security@sonos.com. Note: Security Researchers should see the external vulnerability disclosure policies of any third-party interconnected service to determine the authorised testing scope of those services.
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorised for testing by Sonos. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you are not sure whether a system is in scope, contact security@sonos.com. Note: Security Researchers should see the external vulnerability disclosure policies of any third-party interconnected service to determine the authorised testing scope of those services.
Reporting Vulnerabilities:
We encourage the responsible disclosure of vulnerabilities to our Security Vulnerability Response Team.
Reports may be submitted anonymously.
Vulnerabilities can be reported by sending an email to security@sonos.com with the subject line "Vulnerability Report".
We strongly encourage security researchers to use the encrypted communication channels to submit security reports. Our PGP public key can be found here.
Reports should include as much information as possible. The following information will help us to evaluate your submission as quickly as possible:
Reports may be submitted anonymously.
Vulnerabilities can be reported by sending an email to security@sonos.com with the subject line "Vulnerability Report".
We strongly encourage security researchers to use the encrypted communication channels to submit security reports. Our PGP public key can be found here.
Reports should include as much information as possible. The following information will help us to evaluate your submission as quickly as possible:
- Issue description and its potential impact
- Product(s) and software version(s) affected
- Instructions to how to reproduce the issue
- A proof-of-concept (PoC)
- Suggested mitigation or remediation actions, as appropriate
What You Can Expect From Us:
- After reporting a vulnerability, external parties can expect to receive acknowledgement of their report within 3 working days.
- We will keep external parties informed of the status of their report every 2-3 weeks throughout the handling process, including when the vulnerability has been remediated.
- We will assign a severity level to the vulnerability and prioritise it based on the risk it poses to our customers' data and privacy.
Acknowledgments:
While we currently do not have a bug bounty programme for external security researchers, we have a place to recognise and acknowledge responsible disclosure with our Security Researcher Recognition Page.
Legal Issues and Protections:
We are committed to protecting those who report vulnerabilities in good faith. We will not take legal action against individuals who report vulnerabilities in accordance with this policy. Unless the reporter explicitly requests acknowledgement, we will maintain the confidentiality of their identity unless otherwise required by law.
Conclusion:
We believe that responsible disclosure is crucial to protecting our customers' data and privacy. This policy outlines our commitment to addressing vulnerabilities in a timely and efficient manner. We encourage all parties to report vulnerabilities to our Security Vulnerability Response team and to work with us to protect our customers.