Keeping data safe at Elertus.
We understand that keeping data secure is critical for everyone: our customers, the developers who connect to our products, and the security experts who watch for vulnerabilities. So if you’re a security researcher or developer, here’s everything you need to know about how Elertus keeps data safe and how you can help.
Our responsible disclosure policy.
If you’re a security researcher and think you’ve found a security vulnerability, we want to hear about it right away. We ask that you give us a reasonable amount of time to respond to your report before making any information public. Please don’t access or modify user data without permission of the account owner and act in good faith not to degrade the performance of our services (including denial of service). If you comply with these requests, we won’t take legal action against you.
- We’re interested in the following areas:
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF/XSRF)
- SQL injection (SQLi)
- Authentication/authorization for devices or clients
- Sharing/public model
- Remote code execution
- Data exposure
- Alert/notification spoofing
- Elertus Thermostat, Elertus Movement, or Elertus local Denial of Service (DoS)
- Elertus Thermostat, Elertus Movement, or Elertus resets and lockups
- Wireless vulnerabilities (but not including wireless Denial of Service (DoS))
- Out of scope areas:
- Website or API Denial of Service (DoS)
- Wireless Denial of Service (DoS)
- Issues only present in old/end-of-life browsers and old plugins
Our security submissions and reward policy.
To submit security issues involving Elertus apps and online properties, please use AlrtU’s Vulnerability Program. To contact us directly to report a vulnerability, email@example.com.
Frequently asked questions about Elertus security.
We do everything in our power to make sure data is used for one purpose: to make your life with Elertus better. To find out exactly how we keep data secure, take a look below.
What information is stored on Elertus devices?
Your Elertus devices collect setup information like your Wi-Fi network information, environmental data from sensors like temperature and humidity, temperature adjustments, usage and occupancy information, and more.
Where is my Elertus Account password stored?
Account passwords are not stored directly on our servers. Elertus follows best practices and uses a non-reversible, slow, salted key-derivation function to protect your password.
How do you store my data online?
Elertus uses Amazon Web Services (AWS) for cloud servers and online storage. Amazon’s security policies can be found here.
We also work with Rackspace to provide redundancy. Their policies are here.
How does Elertus prevent and resolve security issues?
Elertus has a dedicated engineering team that’s focused on monitoring security threats and updating our systems as needed. Members of the operations team are also continually keeping our servers up to date with security patches and operating system updates.
In addition, Elertus has a program open to security researchers.
Can my Elertus device be hacked using the USB port?
USB-based hacking is a jailbreak that requires physical access to a device. Physical jailbreaks like this don’t compromise the security of our servers or the connections to them. There have been no known instances of anyone hacking an Elertus product remotely.