Responsible Disclosure Policy

Schlage takes the security of our products/systems seriously, and we value and appreciate contributions from the security community. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our customers.


For this program, we are currently interested in receiving vulnerability reports related to “In-Scope Systems.”  This would include the following:

  • ENGAGE™ Technology: NDE/NDEB, LE/LEB, RU/RM (Von Duprin), Control, Control Mobile Enabled Smart Lock, GWE Gateway, CTE Single Door Controller, , including related cloud platform and mobile application (i.e., Allegion ENGAGE™ app)
  • Schlage Home:  Encode™, including related cloud platform and mobile application (i.e., Schlage Home app)
  • Overtur: The Overtur web app, mobile app, and cloud platform


Although we are focused on the security of all our products and systems, for this particular program, the following products and systems are considered out-of-scope: 

  • Connected products, mobile applications, APIs, or websites associated with other Schlage products or Allegion brands
  • Third party connections or services related to In-Scope Systems
  • Assets, software, applications, or services located on or operated from our corporate, factory, production, or other types of infrastructure
  • Denial-of-service, social engineering, or physical access to infrastructure
  • Any type of vulnerability that may generally impact the user experience

What We Expect of Researchers

As part of this program, Allegion expects all researchers to follow these rules to minimize potential risks to individuals, data, systems, and products:

  • Only research vulnerabilities related to In-Scope Systems; do not access other systems or perform out-of-scope research
  • If identifying vulnerabilities involving information that could reasonably identify a person, do not access, download, store, process, or transmit such information; if identification of such a vulnerability occurs, notify Schlage immediately
  • Avoid harming or impacting or otherwise degrading any person, product, service, or user experience
  • Perform research in a manner consistent with applicable law
  • Preserve and keep data generated during security testing and research under appropriate security controls
  • Maintain information about vulnerabilities as confidential and do not share with third parties until Allegion has remediated the issue or mutually agreed to public release
  • Agree that Allegion may use your research to take all reasonable steps to validate, mitigate, and disclose the vulnerability

What Researchers Can Expect of Us

If researchers operate within the scope of this program and meet the above expectations, Allegion commits to the following: 

  • Not referring researchers who access In-Scope Systems to law enforcement or other government authorities
  • Work with researchers to understand and remediate vulnerabilities

How to Report

You must agree to the terms above to report a security vulnerability. Indicate your agreement in the box below and click ‘Submit’ to see an online form to provide your information.  To ensure the vulnerability can be properly identified and remediated, please include the following details in your submission:

  • Your contact information (name, organization, phone #, e-mail)
  • General description of the concern or vulnerability
  • Product or service containing vulnerability (hardware & software versions, part numbers)
  • Date/time when the vulnerability was discovered
  • Technical description of the concern or vulnerability
    • Tools, hardware and other configurations required to trigger the event
    • Instructions to reproduce the event
    • Sample code, proof of concept or executable used to produce event
Please agree to terms