ONEKEY is a platform for automated security analysis and compliance checks of IoT firmware. Our mission is to secure the Internet of Things. In order to discover vulnerabilities and vulnerability patterns within IoT devices and to further enhance automated identification that allows for scalable detection within ONEKEY, we conduct excessive security research in the area of IoT.
By fixing existing vulnerabilities and applying latest security patches to affected devices; vendors, manufacturers and end users all play integral roles in securing the Internet of Things. Whenever the ONEKEY Research Lab discovers vulnerabilities in IoT
firmware, we aim at responsibly disclosing relevant information to the vendor of the affected IoT device as well as the general public in a way that minimizes potential harm and encourages further security analyses of IoT systems.
But…
ONEKEY Research Lab respects the privacy of its clients and confidentiality of analyses conducted via the ONEKEY platform. As such, ONEKEY Research Lab will not publicly release any vulnerabilities identified by its clients via the ONEKEY platform.
ONEKEY Research Lab commits to put reasonable effort into establishing communication with the affected vendor. We try to use the publicly available security contact, otherwise we contact the vendor support through publicly available mechanisms and/or send emails to security@, support@, info@ addresses.
We ask vendors to provide an appropriate security contact including encryption certificates to protect the confidentiality of the security advisory or any further communication.
In no cases will a vulnerability be “kept quiet” because a product vendor does not wish to address it. To maintain transparency in the process, we include the summary of the communication we’ve had with the vendor into the advisory.
We encourage vendors to provide us with updated information to be included in the final security advisory. This could include: the software versions or hardware revisions affected by the bug, number of the fixed version, and a means to obtain the update (e.g. the URL of a website where the security fix or new version can be downloaded). We recommend the vendor to request CVE numbers for the corresponding vulnerability.