Coordinated Vulnerability Disclosure Policy

Introduction

At Sonova, we are committed to ensuring the security and resilience of our products and related services. We understand that, despite our efforts, vulnerabilities can occur. Everyone is encouraged to report suspected vulnerabilities or security concerns related to our products or their underlying software or infrastructure. This includes security researchers, customers and end consumers, CERTs (Computer Emergency Response Teams), industry groups, partners, and all other stakeholders.   

Prior to submitting a report, please read this policy thoroughly and ensure your actions are aligned with its guidelines.  

Reporting a Vulnerability

We kindly ask anyone who believes they have discovered a potential security vulnerability in our products or related services to report it to us as soon as possible using the following official channel: psirt[at]sonova[.]com. 

When submitting a report, please follow these guidelines:  

• Provide detailed information about the potential vulnerability, including a clear description and steps to reproduce the finding. Set forth below is a template you can use as a guide for your report.
• Avoid any actions that can harm the confidentiality, integrity, availability, or safety of our products and services or data. Please refrain from causing any material harm, altering data, abusing privilege escalation, or downloading more data than is necessary to demonstrate the vulnerability.
• Maintain the confidentiality of your findings until we have completed our investigation and implemented necessary measures, and notified you as specified under “Our Commitments” below. This helps protect our users and ensures the responsible handling of security issues.
• If you believe you are obligated to report this issue to a third party, please contact us prior to any such disclosure.
• Please provide your contact details, such as an email address or phone number, so we can follow up with you for further investigation.

Our Commitments

• Upon receiving a report of a security vulnerability, Sonova commits to the following:
• We will acknowledge receipt of your report, confirming that your submission has been received and is being processed.
• Our dedicated security team will conduct a thorough investigation of the reported vulnerability.  We may contact you for further information or clarification to ensure a comprehensive understanding of the vulnerability.
• We prioritize the resolution of reported vulnerabilities based on their severity and complexity. Our team is committed to taking the necessary steps to address and mitigate risks quickly and effectively.
• We will maintain an open and transparent communication with you throughout the process. You will be kept informed of our progress in investigating and resolving the issue, with regular updates provided at key stages.

Exclusions

While we encourage the reporting of any security vulnerabilities found, please note that the following actions are strictly prohibited:  

• Using invasive or disruptive automated scanning against our infrastructure.
• Accessing, downloading, modifying, or otherwise interfering with data in accounts or systems that you do not own or have explicit permission to interact with.
• Maintaining access to our systems.
• Installing anything in our network, especially any malicious software (malware, backdoors, etc.).
• Using brute force attacks.
• Performing activities that disrupt, degrade, or threaten the operational integrity or availability of our products and related services or systems.
• Disclosing identified vulnerability in public or to any 3^rd party without coordinating it with Sonova, as defined in this policy.
• Engaging in any form of social engineering, phishing attacks, or deceptive practices against our employees, users, or infrastructure.
• Conducting physical security attacks on Sonova’s assets.

Vulnerabilities Out of Scope for this Program

This vulnerability disclosure program is focused on vulnerabilities related to Sonova products, their underlying infrastructure, and related services.  

To enable efficient allocation of resources and focus on mitigating vulnerabilities with significant impact, we define the following categories as out of scope for this vulnerability disclosure program. Reporting these may not result in acknowledgment or remediation actions:  

• Submissions resulting from automated scanning tools or automated analysis.
• Observations concerning weak SSL/TLS cryptographic algorithms and vulnerabilities in TLS setups, unless an actual, exploitable risk specific to our environment can be demonstrated.
• Absence of recommended security measures, implementation of libraries known for vulnerabilities, or detailed error messages, unless these include clear, demonstrable pathways for exploitation.

Legal Statement / Safe Harbour

At Sonova, we value the contributions of security researchers and recognize the importance of their efforts in enhancing the security of our products.  

If you comply with the guidelines of our vulnerability disclosure policy, your actions will be considered authorized, and we will not initiate legal action against you. While we support responsible security research, please note that your adherence to this policy does not exempt you from complying with any applicable local laws. If legal action is initiated by a third party relating to your activities under this policy, please be aware that while we aim to clarify the nature of your compliance with our policy, we cannot engage in legal representation or direct intervention on your behalf. 

Contact Us

For any questions or submissions regarding security vulnerabilities, please contact us at psirt[at]sonova[.]com.

Vulnerability Reporting Template

• Email subject should contain key words, like: Vulnerable product/service/component name, severity of the vulnerability, impact statement.
• Preferred language for communication: English.