Jabra is committed to the security and assurance of all our products and services and therefore, we acknowledge the importance and key role that independent security researchers play in helping to protect systems and data. With the intention of supporting this goal, Jabra welcomes the disclosing persons to disclose any vulnerability found in our products so our teams can collaborate and coordinate a security fix.
This policy describes how Jabra manages the vulnerability disclosures and the different considerations that need to be made when reporting them in a responsible way.
The Product Vulnerability Disclosure Policy addresses all products and services sold under the Jabra brand, including software and hardware. However, certain types of vulnerabilities are out of scope, and they include:
Our product vulnerability policy is designed to address vulnerabilities within our own products. Any vulnerabilities related to third-party vendors fall outside of this policy and should be reported directly to the vendor according to their disclosure policy (if any).
If the policy is followed and adhered to as described, Jabra will not pursue civil action or support any legal action related to your security research activity for accidental, good faith violations of this policy, or initiate a complaint to law enforcement for unintentional violations.
We encourage you to contact us - using the contact information below - for clarification before engaging in conduct that may be inconsistent with or unaddressed by the policy.
When trying to exploit a potential vulnerability, you must always consider the following conditions:
If you have discovered a security vulnerability affecting a Jabra product or service, please submit a vulnerability report using this form.
If Personal Identifiable Information (PII) or any other confidential information is disclosed, report it to us while complying with applicable laws, i.e. limit your access to PII and any other confidential information and refrain from storing, saving, or transferring the data.
Upon receival, Jabra will acknowledge the report in a timely manner, and we will start investigating it to confirm the existence of the vulnerability. In this regard, an open confidential dialogue will be encouraged, and we might request additional information from you to help with the resolution.
Due to business needs and engineering priorities, Jabra will need reasonable time to address any reported vulnerability. Our security team diligently assesses vulnerabilities based on severity, exploitability, and potential impact. While we strive for timely patch releases, the prioritization process ensures that critical vulnerabilities receive immediate attention. Less severe vulnerabilities may follow a different timeline.
Different product models may have unique architectures, firmware versions, and underlying technologies. Consequently, the development and testing of security patches can vary. We commit to addressing vulnerabilities across all affected models but acknowledge that delivery times may differ. Security patches might require patch input from third party vendors that might have an effect on overall timeline of mitigating vulnerabilities.
Our team will be as transparent as possible to let you know the status of the investigation itself and the potential fix, if appropriate.
Keep in mind that our customers' security is a priority and therefore, we need to give them enough time to apply any fix that has been developed to remediate the vulnerability. In that regard, we request you not to disclose publicly any information about the vulnerability until the whole process has been completed, including the release of the fix and the notification to our customers, if required.
Whenever applicable and necessary, Jabra will coordinate with you on a public notification of the validated vulnerability. Currently, be informed that Jabra doesn't offer any monetary compensation nor bug bounty program for discovered vulnerabilities but an acknowledgment to the reporting person can be posted together with the security advisory on this webpage.
| DATE | ID | INFORMATION |
|---|---|---|
2025/10/30 | CVE-2025-7783 | A potential security vulnerability affecting the ringtone file upload functionality in Jabra Direct Online (JDO) has been addressed in firmware 6.25.29101 |
25/09/29 | CVE-2025-20700 | The vulnerability allowed attackers within Bluetooth range to access the headset without pairing or authentication. In rare cases, this could result in unauthorized control of the headset, microphone eavesdropping, or access to recent call or media activity. It has been fully addressed in Jabra Perform 75 (FW 2.28.0). The vulnerability was resolved by 29/09/2025. |
25/09/17 | CVE-2025-20700 | The vulnerability allowed attackers within Bluetooth range to access the headset without pairing or authentication. In rare cases, this could result in unauthorized control of the headset, microphone eavesdropping, or access to recent call or media activity. |
25/04/29 | CVE-2025-2783 | The vulnerability has been fully addressed in Jabra Direct release 6.22.11401 The vulnerability was resolved by upgrading the Electron framework used for the desktop application. |
24/09/26 | Secure pairing in DECT products | |
24/04/15 | Arbitrary Code Execution in Jabra Direct Online application | A potential vulnerability initially reported by RIPEDA Consulting on 2023-12-23 affecting the handling of the Electron fuse 'RunAsNode' has been addressed in Jabra Direct release 6.14.08801 |
24/03/19 | CVE-2023-4863 (update) | The vulnerability has been fully addressed in Jabra Direct release 6.13.01801 while Personal Base Screen Image feature has been reverted back |
23/10/18 | CVE-2023-4863 | The vulnerability has been addressed in Jabra Direct release 6.11.28601 by removing the Personal Base Screen Image which was available for Jabra Engage 75 |
21/04/22 | Security Incident Bulletin Version 2.0 |
