Responsible Disclosure

Reporting a Potential Security Vulnerability is welcomed from independent researchers, industry organizations, vendors and customers concerned with product security. We encourage coordinated disclosure of security vulnerabilities.

Coordinated Vulnerability Disclosure (CVD) is a process that allows independent reporters who discover a vulnerability to contact Resideo directly, thereby allowing us the opportunity to investigate and re-mediate the vulnerability before the reporter discloses the information to the public.

Our internal Product Security Incident Response Team (PSIRT) will coordinate with the reporter throughout the vulnerability investigation and will provide them with updates on progress as appropriate. With their agreement, the PSIRT may recognize the reporter on our Hall of Fame Acknowledgment site for finding a valid product vulnerability and privately reporting the issue. After an update or mitigation information is publicly released by Resideo, the reporter is welcome to discuss the vulnerability publicly.

Following the CVD allows us to protect our customers and at the same time, coordinate public disclosures and appropriately acknowledge the reporter for their finding. If a reported vulnerability involves a vendor product, the PSIRT will notify the vendor directly, coordinate with the reporter, or engage a third-party coordination center. Security researchers, industry groups, government organizations and vendors can report potential security vulnerabilities by filling and submitting the Responsible Disclosure Form.

By submitting a report to Resideo, you agree to keep the subject matter of the report, as well as all subsequent related conversations with Resideo, strictly confidential.