Looking Glass Product Security Policy

Looking Glass is committed to protect our customers' data and privacy by addressing vulnerability research in a timely and efficient manner. We recommend security researchers to follow this disclosure policy when reporting security vulnerabilities. This policy applies to parties who discover or report vulnerabilities in our products. This policy is based on and references techniques used in the ISO standard for Vulnerability Disclosure ISO/IEC 29147. Our policy outlines our commitment to addressing security vulnerabilities, providing timely updates, and ensuring the integrity and security of our products.

Security Research Requirements

Under this policy, “security research” means activities in which security researchers:

  • Notify Looking Glass as soon as possible after the new discovery of a real or potential vulnerability.
  • Make a good faith effort to avoid privacy violations, preserve the user experience, prevent disruptions to roduction systems, and safeguard against the destruction or manipulation of data. Security testing that violates any law could lead to possible criminal or legal investigation. Reference the Legal Protections section for details.
  • Keep vulnerabilities private during the vulnerability disclosure time frame, while providing Looking Glass with a reasonable amount of time to resolve the issue before public disclosure.

Vulnerability Scope of Coverage

This policy covers all vulnerabilities in Looking Glass connected products, platforms, and the controlling mobile applications. This includes vulnerabilities in the firmware, mobile applications, and cloud services.

Any service not expressly listed above, such as any 3rd party services, are excluded from scope and are not authorized for testing by Looking Glass. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at: security@lookingglassfactory.com.

Reporting Vulnerabilities

Security vulnerability reports may be submitted anonymously. Vulnerabilities can be reported by sending an email to security@lookingglassfactory.com. with the subject line "Vulnerability Report".

We encourage security researchers to use the encrypted communication channels to submit security reports. Our PGP public key can be found here.

Reports should include as much information as possible. The following information will help us to evaluate your submission as quickly as possible:

  • Issue description and its potential impact
  • The products, platform, and/or software versions affected
  • Instructions to how to reproduce the issue
  • A working proof-of-concept (PoC)
  • Suggested mitigation or remediation actions (as appropriate)

Upon confirmation of a security vulnerability, the external party will receive acknowledgement within 3 business days. We will keep external parties informed of the status of their report every 2-3 weeks throughout the handling process, including when the vulnerability has been remediated. Looking Glass will assign a severity level to the vulnerability to prioritize it based upon the risk it poses to our customers’ data and privacy. These updates will be provided free of charge with no personal information required from customers.

Software Updates

Looking Glass regularly releases updates for our products to improve functionality, address performance issues, and enhance security. Security updates, including patches for identified vulnerabilities, are prioritized and released as quickly as possible to minimize exposure to security risks. Customers are notified of available updates through our regular communication channels, including email, in-product alerts, and our website.

Customer Support

Our customer support team is available to assist customers with product-related inquiries, technical issues, and security concerns. We provide multiple channels for customers to reach our support team, including email, HelpScout, and Discord. Support inquiries related to security vulnerabilities will be escalated to our security team for evaluation and resolution Reporting Vulnerabilities, section for details.

Product Support Period

The Looking Glass Go will receive full support, including software updates, security patches, and technical assistance through June 30, 2027 or three years from the initial release in June 30, 2024. These updates will be provided free of charge with no personal information required from customers.

Following the end-of-life date, Looking Glass will cease the provision of software updates, security patches, and technical support for the Looking Glass Go. However, customers may still have access to self-service resources, such as knowledge base articles, blog posts, and user forums, for a limited period following the end-of-life date.

In exceptional cases where continued support for the Looking Glass Go is necessary beyond the end-of-life date, customers may have the option to enter into custom support agreements with Looking Glass. Custom support agreements will be subject to negotiation and may include additional fees and terms based on the specific requirements of the customer.

Continuous Improvement

We continuously monitor feedback from customers, security researchers, and industry experts to improve the security and reliability of our products. Feedback and lessons learned from security incidents are analyzed to implement proactive measures and enhance our security posture.

Legal Protections

We are committed to protecting those who report vulnerabilities in good faith. We will not take legal action against individuals who report vulnerabilities in accordance with this policy. Unless the reporter explicitly requests acknowledgement, we will maintain the confidentiality of their identity unless otherwise required by law.

Looking Glass prioritizes the security and integrity of our products and is committed to providing exceptional support for our customers. Our support policy reflects our dedication to compliance with regulations, transparency in communication, and continuous improvement in product security. We encourage feedback from our customers and stakeholders to help us maintain the highest standards of security and reliability.Last Updated: April 30, 2024