Working together for a secure smart home

Reporting vulnerabilities
 

Transparency and cooperation for maximum security

The security of our products and cloud services has the highest priority. By reporting potential vulnerabilities responsibly, you are making a valuable contribution to the continuous improvement of our systems. We are constantly reviewing and developing our infrastructure to meet the latest security requirements. The aim is to identify potential risks at an early stage, to communicate them transparently and to remedy them resolutely. This approach helps us to build trust – for a secure and comfortable smart home experience.

Why do we need a Vulnerability Disclosure Policy?

A Vulnerability Disclosure Policy (VDP) sets out clear rules and procedures for reporting security vulnerabilities. It creates trust by promoting transparency in the handling of security-relevant issues. 

For Homematic IP, this policy is a central element in continuously improving the security of our products and services and identifying risks at an early stage. At the same time, it shows potential vulnerability reporters how their reports are processed and what expectations exist on both sides. 

A VDP is therefore an important feature in a responsible security culture.

How to report vulnerabilities.

Everything you need to know about our reporting channels, the information required and how we process incoming reports is set out below. This approach enables us to quickly forward your report to the right contact person and integrate any findings promptly into our security processes.

  • E-mail: security@eq-3.com
  • security.txt: Our contact data is also available at /.well-known/security.txt.

Information required:

  • Affected product or service
  • Description of the vulnerability
  • Steps to reproduce the vulnerability
  • If possible: Technical details or proof of concept

Reaction time & procedure:

  • Confirmation of receipt within 5 working days
  • Analysis & prioritisation of the report (evaluation in accordance with the CVSS)
  • Communication regarding progress
  • Rectification of the vulnerability & publication of a security advisory (where necessary)

Security-relevant software updates will be provided for all Homematic IP products for a period of at least five years from the start of sale. This measure is in line with the requirements of the EU Regulation  (Cyber Resilience Act) aimed at enhancing the cybersecurity of connected products.

The stated period applies to security-relevant updates. It does not apply to functional enhancements.

Safe Harbour regulation – protection for responsible reporting

We advocate the responsible disclosure of vulnerabilities. Anyone who abides by our rules can expect a fair and transparent process. We are aware that many people who identify vulnerabilities not only have technical expertise, but also demonstrate a high sense of responsibility. Their contribution plays a key role in making our systems more secure and more robust.

Our goal is therefore to actively encourage this commitment, remove potential barriers and create an environment that supports constructive feedback. We are committed to ensuring that reports are received openly, evaluated objectively and processed in a transparent manner. At the same time, we want to create security and trust – both for the person reporting and for all users of our systems.

Important notes:

  • No attacks on our systems (e.g. DDoS, social engineering).
  • Tests only on systems for which you are authorised.
  • No publication of sensitive information without prior consultation.