Vulnerability Disclosure Policy

Philosophy

At Owlet, we are committed to prioritizing the safety and security of our users, especially the parents and families who entrust us with the well-being of their loved ones. Recognizing the dynamic nature of cybersecurity, we understand that vulnerabilities may arise despite our best efforts. In line with our dedication to transparency, collaboration, and user safety, we invite the security community to assist us in identifying and addressing potential vulnerabilities. This Vulnerability Disclosure Policy serves as a framework for responsible security researchers to report any discovered vulnerabilities, ensuring a coordinated and swift response. By fostering an open dialogue and partnership with the security community, we aim to continually strengthen the security of our products and uphold the trust placed in us by our users. Your contributions play a vital role in our collective mission to provide peace of mind to parents and caregivers. We appreciate your support in creating a safer digital environment for families.

Scope

The scope of our vulnerability disclosure policy applies to all hardware products, mobile applications, application programming interfaces and websites owned, operated, and maintained by Owlet. It is not for reporting adverse events or product quality complaints. If you need to report one of these, please visit our Help Center.

Reporting a Vulnerability

If a vulnerability is discovered, provide a detailed summary of the vulnerability, including the following:

  • detailed technical description of the vulnerability and its potential impact;
  • steps required to reproduce the vulnerability, including a description of any tools needed to identify or exploit the vulnerability;
  • product, version, and configuration of any software or hardware potentially impacted;
  • proof-of-concept; and
  • suggested mitigation or remediation actions, as appropriate.

Images, e.g., screen captures, and other documents may be attached to reports. We request that any scripts or exploit code be embedded into non-executable file types.

Please encrypt your report with a PGP key and email it to security@owletcare.com. You can find the PGP key for security@owletcare.com on most public servers.

The Owlet Security Team will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution. We strive to acknowledge receipt of all vulnerability reports within 1-3 business days.

Bug Bounty

We do not have a formal bug bounty program and do not currently reward reporters for their findings.

Questions

Questions regarding this policy may be sent to security@owletcare.com. We also invite security researchers to contact us with suggestions for improving this policy.