Jabra is committed to the security and assurance of all our products and services. We recognize the important role that independent security researchers and other members of the security community play in helping to protect our systems and data. To support this, Jabra welcomes vulnerability reports about our products so that our teams can collaborate with reporters to investigate the issue and, where appropriate, coordinate a security fix.
This policy defines Jabra’s Vulnerability Disclosure Program for security vulnerabilities in Jabra products and services. As part of this is described how to report vulnerabilities in a responsible way.
The Product Vulnerability Disclosure Policy addresses all products and services, including software and hardware, sold under the Jabra brand.
We welcome reports about security vulnerabilities that impact the confidentiality, integrity, or availability of Jabra products and services, including unauthorized access, privilege escalation, code execution, or data exposure issues, provided they are not listed as out of scope below:
Our product vulnerability policy is designed to address vulnerabilities within our own products. Any vulnerabilities related to third-party vendors fall outside of this policy and should be reported directly to the vendor according to their disclosure policy (if any).
If acting in good faith when reporting vulnerabilities under this policy, Jabra will not pursue civil action or support any legal action related to your security research activity for accidental, good faith violations of this policy, or initiate a complaint to law enforcement for unintentional violations.
We encourage you to contact us - using the contact information below - for clarification before engaging in conduct that may be inconsistent with or unaddressed by the policy.
When trying to exploit a potential vulnerability, you must always consider the following conditions:
If you have discovered a security vulnerability affecting a Jabra product or service, please submit a vulnerability report using this form
If Personal Identifiable Information (PII) or any other confidential information is disclosed, report it to us while complying with applicable laws, i.e. limit your access to PII and any other confidential information and refrain from storing, saving, or transferring the data.
Upon receipt, Jabra will acknowledge the report, and we will investigate it and work out a fix to the vulnerability if validated. In this regard, an open confidential dialogue will be encouraged, and we might request additional information from you to help with the resolution.
Jabra commits to:
For confirmed vulnerabilities, we will prioritize remediation based on severity, exploitability, and potential impact. We will provide periodic updates on our progress (at least every 30 days) until a fix or mitigation has been released, or we have decided that no fix will be made.
Different product models may have unique architecture, firmware versions, and underlying technologies. Consequently, the development and testing of security patches can vary. We commit to addressing vulnerabilities across all affected models but acknowledge that delivery times may differ. Security patches might require patch input from third party vendors that might influence overall timeline of mitigating vulnerabilities.
Keep in mind that our customers' security is a priority and therefore we need to give them enough time to apply any fix that has been developed to remediate the vulnerability. In that regard, we request you not to disclose publicly any information about the vulnerability until the whole process has been completed, including the release of the fix, public disclosure of the vulnerability, and notification to our users and customers (if required).
Whenever applicable, Jabra will coordinate with you on a public disclosure of the vulnerability. Be informed that Jabra currently doesn't offer any monetary compensation nor bug bounty program for discovered vulnerabilities but an acknowledgment to the reporting person can be posted together with the security disclosure from Jabra.
| DATE (dd-mm-yyyy) | ID | INFORMATION |
|---|---|---|
27/05/2026 | CVE-2025-22871 | The vulnerabilities have been fully addressed in Jabra Direct release 8.1.14601. The main vulnerabilities were resolved by upgrading the Angular architecture framework used for the desktop application. |
29/09/2025 | CVE-2025-20700 | The vulnerability allowed attackers within Bluetooth range to access the headset without pairing or authentication. In rare cases, this could result in unauthorized control of the headset, microphone eavesdropping, or access to recent call or media activity. It has been fully addressed in Jabra Perform 75 (FW 2.28.0). The vulnerability was resolved by 29/09/2025. |
19/09/2025 | CVE-2025-20700 | The vulnerability allowed attackers within Bluetooth range to access the headset without pairing or authentication. In rare cases, this could result in unauthorized control of the headset, microphone eavesdropping, or access to recent call or media activity. |
29/04/2025 | CVE-2025-2783 | The vulnerability has been fully addressed in Jabra Direct release 6.22.11401 The vulnerability was resolved by upgrading the Electron framework used for the desktop application. |
26/09/2024 | Secure pairing in DECT products | |
15/04/2024 | Arbitrary Code Execution in Jabra Direct Online application | A potential vulnerability initially reported by RIPEDA Consulting on 2023-12-23 affecting the handling of the Electron fuse 'RunAsNode' has been addressed in Jabra Direct release 6.14.08801 |
19/03/2024 | CVE-2023-4863 (update) | The vulnerability has been fully addressed in Jabra Direct release 6.13.01801 while Personal Base Screen Image feature has been reverted back |
18/10/2023 | CVE-2023-4863 | The vulnerability has been addressed in Jabra Direct release 6.11.28601 by removing the Personal Base Screen Image which was available for Jabra Engage 75 |
22/04/2021 | Security Incident Bulletin Version 2.0 |
