Responsible Disclosure Policy

The purpose of this policy is to outline the procedures for reporting and addressing vulnerabilities in our products. This policy aims to ensure that our products are secure and protect the privacy of our customers.

Reporting Process

Security researchers or individuals who discover a vulnerability related to Brivo should contact us at security@brivo.com to report the vulnerability. Brivo will acknowledge receipt of the report within 5 business days and confirm that we have received the report. Brivo will investigate the reported vulnerability and verify its existence and severity. Brivo will respond to the reporter with an update on the status of the investigation and any actions we are taking to address the vulnerability.

Brivo will review the disclosure and assess severity. Severity classification is at the sole discretion of the Brivo Engineering and Security Operations teams. Depending on the severity, a timeline to remediate will be assigned. Brivo will publicly disclose the vulnerability and the fix, once it has been implemented.

Brivo will maintain the confidentiality of the reporter’s identity and any information provided during the disclosure process.

Reports to security@brivo.com will be addressed when submitted with the following:

We do not have a reward program, but we will publicly credit people or organizations that have reported security issues to us in our published security advisories or release notes (unless otherwise requested).

Non-compliance

Public disclosure of the submission details of any identified or alleged vulnerability without the expressed written consent from Brivo will deem the submission as noncompliant with this policy

Additionally, you are prohibited from: