Bose Product Security Vulnerability Response

Bose is committed to securing our products and services while also delivering the highest quality connected experiences our customers have come to expect. We have established a Product Security Vulnerability Response (PSVR) program for customers or third-party security researchers to report security concerns to Bose in a responsible manner so they may be investigated and resolved in a timely and effective manner.

Our PSVR program is based upon the principles of Coordinated Vulnerability Disclosure. Under this principle, researchers disclose newly discovered vulnerabilities in hardware, software, and services directly to the manufacturer or provider of the affected product (“vendor”); to a national CERT or other coordinator who will report to the vendor privately; or to a private service that will likewise report to the vendor privately. The researcher allows the vendor the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public. The vendor continues to coordinate with the researcher throughout the vulnerability investigation and provides the researcher with updates on case progress. If this investigation results in an update and/or advisory, the vendor may recognize the finder for the research and privately reporting the issue. The aim is to provide timely and consistent guidance to customers to help them protect themselves.

Bose encourages the security research community to allow us the opportunity to investigate and correct a reported vulnerability before publicly identifying or disclosing it, so we can address the vulnerability before it is potentially exploited and maintain the security of our products and services. We appreciate the partnership with the security research community to better secure our products and services to protect our customers. Bose does not have a formal bug bounty reward program in place at this time, but reserves the right to provide compensation or other recognition for valid reports in its own discretion.

Reporting a potential security vulnerability

If you believe you have discovered a potential security vulnerability in a Bose product, please submit your findings by email to Bose at privacyandsecurity@bose.com.

So that we may more effectively address your report, please provide any supporting material (e.g. proof-of-concept code, tool output, screen shots, or videos, etc.) that would be useful in helping us understand the nature and severity of the vulnerability.

The information you share with Bose as part of this process is kept confidential within Bose. It will not be shared without your permission with any third parties, other than those working on Bose’s behalf that assist in our vulnerability response procedures or if Bose is required to share information with law enforcement.

To protect the contents of your submission, encrypt it with our PGP key available here:

Fingerprint: 89EA 35C9 165D 6922 75A6 344E F9DE 05D1 9772 6DF6
Key: Bose PGP Key

Bose will review the submitted report and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.

Scope of security concerns handled by the Bose PSVR Team

The Bose PSVR Team responds to the following types of security vulnerability reports:

  • Security concerns identified in Bose products (e.g. speakers, mobile applications, and desktop applications)
  • Security concerns affecting Bose hosted service offerings related to product operations, such as how firmware updates are obtained, and Bose cloud services relate to product operation
  • Potential flaws in Bose documents regarding security information or recommendations (e.g. datasheets and application notes).

Out of Scope for Product Security Vulnerability Response

For general (non-security) related product support issues or questions, please see our Support site.

Concerns about Bose.com and related sites and functionality should be directed to the resources on our Contact us page.

Please review our Privacy policy at Bose.com for questions related to the privacy of user data.

For members of the press who wish to contact Bose on topics related to the security of Bose products, visit our Press Room.

Evaluation by Bose

We investigate and respond to all valid reports. Incomplete reports may require Bose to request additional information in order to validate or assess the issue. When the initial investigation is complete, results will be delivered to you along with a plan for resolution and possible public disclosure.

Bose is committed to being responsive and keeping you informed of our progress as we investigate and / or mitigate your reported security concern. We will do our best to initiate a non-automated response to your initial contact within 48 hours, confirming receipt of your reported vulnerability. You will receive progress updates from us on a regular cadence to be determined between you and Bose based on the specifics of each reported issue. Due to the volume of reports we receive, though, we prioritize evaluations based on risk and other factors, and it may take some time before you receive a status update.

Vulnerability classification

Bose uses version 3.0 of the Common Vulnerability Scoring System (CVSS) to evaluate potential vulnerabilities. The resulting score helps quantify the severity of the issue and to prioritize our response.

More information on CVSS >

Coordinated public disclosure

If applicable, Bose will coordinate public notification of a validated vulnerability with you. When possible, we would prefer that our respective public disclosures be posted simultaneously.

In order to protect our customers, Bose requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed. Also, we respectfully ask that you do not post or share any data belonging to our customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.

Bose public notifications are in the form of security advisories. A list of published security advisories can be found below.

Bose Security Advisories

Bose Advisory 2018-001: Certain models of Bose NFC-enabled products manufactured with write-enabled NFC memory

Bose Advisory 2018-002: Cross-site scripting vulnerability in Bose SoundTouch mobile applications for Android and iOS, interface versions 19.1.7 and earlier