Report a security vulnerability

If you believe that you have discovered a security or privacy vulnerability in a SONOFF product, please report it to us.

How to report a security vulnerability

If you believe you’ve discovered a security or privacy vulnerability affecting SONOFF devices, software, or services, please report it directly to us on the web at the Security Response Center.

Reports should include

  • The specific product and software version(s) that you believe are affected
  • The security vulnerability type, mobile application/hardware/network system
  • Security vulnerability description that you observed and the behavior that you expected
  • Further detailed proof of concept or exploit.

How SONOFF handles the security vulnerability reports

Upon receiving a vulnerability report, our dedicated security team follows a standardized process to assess, prioritize, and remediate the reported issue. The steps of our vulnerability handling process include:

  • Receipt and Triage: Vulnerability reports are received through Security Response Center and promptly triaged by our security team.
  • Assessment: The reported vulnerability undergoes thorough assessment to determine its severity and potential impact on our products and infrastructure.
  • Prioritization: Vulnerabilities are prioritized based on severity, impact, and exploitability.
  • Remediation: Our engineering team develops and implements appropriate fixes or mitigations to address the reported vulnerabilities.
  • Verification: Remediations are rigorously tested to ensure effectiveness without introducing new issues.
  • Communication: We maintain transparent communication with stakeholders throughout the remediation process, providing regular updates on the status of reported vulnerabilities.
  • Resolution: Once remediations are verified, they are deployed to production environments.

We refrain from disclosing security vulnerability issues until our comprehensive investigation concludes and any requisite updates are readily accessible.

Alternatively, you can send your reports to us via email at src@itead.cc. Please make sure that you include the information covered above. If your report doesn’t include enough information to allow us to reproduce the issue, we may not be able to accept your report and resolve the security vulnerability issue.

Pin It on Pinterest