Allegion takes the security of our products and systems seriously and looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Disclosure Policy

• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• Follow HackerOne's disclosure guidelines.

Program Rules

As part of this program, all researchers shall follow these rules to minimize potential risks to individuals, data, systems, and products:

• ==Please rate limit your automated scanning tools to 100 requests per second. Anything more than this which results in degradation of the site will result in a program ban.== • Only research vulnerabilities related to in scope systems; do not access other systems or perform out-of-scope research; • If identifying vulnerabilities involving information that could reasonably identify a person, do not access, download, store, process, or transmit such information; and if identification of such a vulnerability occurs, notify Allegion immediately; • Avoid harming or impacting or otherwise degrading any person, product, service, or user experience; • Do not engage in social engineering (e.g., phishing, vishing, smishing); • Only interact with accounts you own or with explicit permission of the account holder; • Perform research in a manner consistent with applicable law; • Preserve and keep data generated during security testing and research under appropriate security controls; and • Agree that Allegion may use your research to take all reasonable steps to validate, mitigate, and disclose the vulnerability.

As part of this program, all researchers shall follow these rules when making reports:

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged. • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. • When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced). • Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

Out of scope vulnerabilities

The following vulnerability categories are considered out of scope:

• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or bruteforce issues on non-authentication endpoints
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Tabnabbing
• Open redirect - unless an additional security impact can be demonstrated
• Issues that require unlikely user interaction

Response Targets

Allegion will make a best effort to meet the following SLAs for hackers participating in our program:

We’ll try to work with you to understand and remediate vulnerabilities and keep you informed about our progress throughout the process.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you or refer your activity to law enforcement. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Allegion and our users safe!