Responsible Disclosure Policy

Schlage takes the security of our products/systems seriously, and we value and appreciate contributions from the security community. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our customers.

Scope

For this program, we are currently interested in receiving vulnerability reports related to “In-Scope Systems” or ENGAGE™-branded commercial connected products and associated mobile applications.  This would include the following:

  • ENGAGE™ Technology: NDE/NDEB, LE/LEB, RU/RM (Von Duprin), Control, Control Mobile Enabled Smart Lock, GWE Gateway, CTE Single Door Controller
  • Mobile Applications:  Allegion ENGAGE™ app 

Out-of-Scope

Although we are focused on the security of all our products and systems, for this particular program, the following products and systems are considered out-of-scope: 

  • Connected products, mobile applications, APIs, or websites associated with Schlage products or other Allegion brands
  • Third party connections or services related to In-Scope Systems
  • Assets, software, applications, or services located on or operated from our corporate, factory, production, or other types of infrastructure
  • Denial-of-service, social engineering, or physical access to infrastructure
  • Any type of vulnerability that may generally impact the user experience

What We Expect of Researchers

As part of this program, Allegion expects all researchers to follow these rules to minimize potential risks to individuals, data, systems, and products:

  •  Only research vulnerabilities related to In-Scope Systems; do not access other systems or perform out-of-scope research
  •  If identifying vulnerabilities involving information that could reasonably identify a person, do not access, download, store, process, or transmit such information; if identification of such a vulnerability occurs, notify Schlage immediately
  •  Avoid harming or impacting or otherwise degrading any person, product, service, or user experience
  • Perform research in a manner consistent with applicable law
  •  Preserve and keep data generated during security testing and research under appropriate security controls
  •  Maintain information about vulnerabilities as confidential and do not share with third parties until Allegion has remediated the issue or mutually agreed to public release
  •  Agree that Allegion may use your research to take all reasonable steps to validate, mitigate, and disclose the vulnerability

What Researchers Can Expect of Us

If researchers operate within the scope of this program and meet the above expectations, Allegion commits to the following: 

  • Not referring researchers who access In-Scope Systems to law enforcement or other government authorities
  • Work with researchers to understand and remediate vulnerabilities
  • If requested by researchers, credit researchers, who find vulnerabilities, in a publicly released patch or security fix

How to Report

All security vulnerabilities should be reported by completing this online form [link].  To ensure the vulnerability can be properly identified and remediated, please include the following details in your submission:

  • Your contact information (name, organization, phone #, e-mail)
  • General description of the concern or vulnerability
  • Product or service containing vulnerability (hardware & software versions, part numbers)
  • Date/time when the vulnerability was discovered
  • Technical description of the concern or vulnerability
    • Tools, hardware and other configurations required to trigger the event
    • Instructions to reproduce the event
    • Sample code, proof of concept or executable used to produce event
Please agree to terms