Bose is committed to securing our products, systems, and services while also delivering the high-quality experiences our customers have come to expect. We have established a security vulnerability reporting program for customers, third-party security researchers, or others to report any security concerns to Bose so they may be investigated and addressed in a timely and effective manner.
Bose encourages the security research community to allow us the opportunity to investigate and address a reported vulnerability before publicly identifying or disclosing it, so we can address the vulnerability before it is potentially exploited and maintain the security of our products, systems, and services. We appreciate the partnership with the security research community to better secure our products and services and protect our customers. Bose does not have a bug bounty reward program in place at this time, but reserves the right to provide compensation or other recognition for valid reports in its own discretion.
Reporting a potential security vulnerability
If you believe you have discovered a potential security vulnerability in a Bose product, system, or service, please submit your findings by email to Bose at firstname.lastname@example.org.
So that we may more effectively address your report, please provide any supporting material (e.g. proof-of-concept code, tool output, screen shots, or videos, etc.) that would be useful in helping us understand the nature and severity of the vulnerability.
Fingerprint: 89EA 35C9 165D 6922 75A6 344E F9DE 05D1 9772 6DF6
Key: Bose PGP Key
Bose will review the submitted report and respond to you to acknowledge receipt. We investigate all valid reports.
For general (non-security) related product support issues or questions, please see our Support site.
For members of the press who wish to contact Bose on topics related to the security of Bose products, systems or services, visit our Press Room.
Coordinated public disclosure
If applicable, Bose will coordinate public notification of a validated vulnerability with the individual who reported the issue to Bose. When possible, we would prefer that our respective public disclosures be posted simultaneously.
Bose public notifications are in the form of security advisories. A list of published security advisories can be found below.
Bose Advisory 2018-001: Certain models of Bose NFC-enabled products manufactured with write-enabled NFC memory
Bose Advisory 2018-002: Cross-site scripting vulnerability in Bose SoundTouch mobile applications for Android and iOS, interface versions 19.1.7 and earlier
Bose Advisory 2020-001: Bose QuietComfort 35 II headphones require an update to address a vulnerability in the Slack call answering process on iOS when paired to 2 devices simultaneously