Jabra's commitment to product security
At Jabra, we take security and privacy seriously and we commit to doing our best to secure our products and maintaining our customers' trust.
As part of this commitment, Jabra supports its products with security updates and, where appropriate, mitigations for vulnerabilities that may affect the confidentiality, integrity, or availability of our products, throughout the support period for each product.
Product Vulnerability Disclosure Policy
Introduction
Jabra is committed to the security and assurance of all our products and services. We recognize the important role that independent security researchers and other members of the security community play in helping to protect our systems and data. To support this, Jabra welcomes vulnerability reports about our products so that our teams can collaborate with reporters to investigate the issue and, where appropriate, coordinate a security fix.
This policy defines Jabra’s Vulnerability Disclosure Program for security vulnerabilities in Jabra products and services. As part of this is described how to report vulnerabilities in a responsible way.
Scope
The Product Vulnerability Disclosure Policy addresses all products and services, including software and hardware, sold under the Jabra brand.
We welcome reports about security vulnerabilities that impact the confidentiality, integrity, or availability of Jabra products and services, including unauthorized access, privilege escalation, code execution, or data exposure issues, provided they are not listed as out of scope below:
- Suggestion on configuration management and/or misconfigurations based on best practices.
- Weak TLS/SSL configuration and certificates, including insecure cipher suites.
- UI/UX bugs.
Our product vulnerability policy is designed to address vulnerabilities within our own products. Any vulnerabilities related to third-party vendors fall outside of this policy and should be reported directly to the vendor according to their disclosure policy (if any).
Compliance with the policy
If acting in good faith when reporting vulnerabilities under this policy, Jabra will not pursue civil action or support any legal action related to your security research activity for accidental, good faith violations of this policy, or initiate a complaint to law enforcement for unintentional violations.
We encourage you to contact us - using the contact information below - for clarification before engaging in conduct that may be inconsistent with or unaddressed by the policy.
Guidelines
When trying to exploit a potential vulnerability, you must always consider the following conditions:
- Do not disrupt or perform actions that may negatively affect Jabra or our customers (denial of service, use malware…).
- Destructive testing (including denial of service, data destruction, or malware deployment) is not accepted.
- Do not attempt to access any Jabra data, information, or systems
- Do not modify, corrupt, or destroy -or attempt to do so- Jabra's data, information or systems, or any data that might compromise the privacy or safety of Jabra's customers or third parties
- Do not social engineer any Jabra employee or personnel related to the company in any way.
- Do not violate any laws or breach any agreements to discover a vulnerability.
- Treat any potential vulnerability responsibly and refrain from disclosing information to the public or third parties but report the vulnerability to us.
Report a vulnerability
If you have discovered a security vulnerability affecting a Jabra product or service, please submit a vulnerability report using this form
Provide the following information:
- A detailed description of the suspected vulnerability, including the type of issue, product and version affected, date of discovery, and any potential configuration applied to the product.
- Step-by-step instructions required to reproduce the vulnerability. If possible, provide screenshots or any other media that supports the process.
- Any additional information that might be of help when assessing the vulnerability.
If Personal Identifiable Information (PII) or any other confidential information is disclosed, report it to us while complying with applicable laws, i.e. limit your access to PII and any other confidential information and refrain from storing, saving, or transferring the data.
Procedure after reporting a vulnerability
Upon receipt, Jabra will acknowledge the report, and we will investigate it and work out a fix to the vulnerability if validated. In this regard, an open confidential dialogue will be encouraged, and we might request additional information from you to help with the resolution.
Jabra commits to:
- Acknowledge receipt of your report within 3 business days.
- Assess the report to determine whether we can reproduce the issue, whether it is in scope, and its potential severity. For reports that contain sufficient detail, we aim to provide an assessment within 2 weeks of acknowledgement.
- Communicate the outcome of our assessment to you and request any additional information if needed.
- For confirmed vulnerabilities, we will prioritize remediation based on severity, exploitability, and potential impact. We will provide periodic updates on our progress (at least every 30 days) until a fix or mitigation has been released, or we have decided that no fix will be made.
For confirmed vulnerabilities, we will prioritize remediation based on severity, exploitability, and potential impact. We will provide periodic updates on our progress (at least every 30 days) until a fix or mitigation has been released, or we have decided that no fix will be made.
Different product models may have unique architecture, firmware versions, and underlying technologies. Consequently, the development and testing of security patches can vary. We commit to addressing vulnerabilities across all affected models but acknowledge that delivery times may differ. Security patches might require patch input from third party vendors that might influence overall timeline of mitigating vulnerabilities.
Public acknowledgement, notification, and compensation
Keep in mind that our customers' security is a priority and therefore we need to give them enough time to apply any fix that has been developed to remediate the vulnerability. In that regard, we request you not to disclose publicly any information about the vulnerability until the whole process has been completed, including the release of the fix, public disclosure of the vulnerability, and notification to our users and customers (if required).
Whenever applicable, Jabra will coordinate with you on a public disclosure of the vulnerability. Be informed that Jabra currently doesn't offer any monetary compensation nor bug bounty program for discovered vulnerabilities but an acknowledgment to the reporting person can be posted together with the security disclosure from Jabra.
Security advisories
| DATE (dd-mm-yyyy) | ID | INFORMATION |
|---|---|---|
27/05/2026 | CVE-2025-22871 | The vulnerabilities have been fully addressed in Jabra Direct release 8.1.14601. The main vulnerabilities were resolved by upgrading the Angular architecture framework used for the desktop application. |
23/01/2026 | CVE-2025-36911 | A vulnerability in Google Fast Pair (CVE‑2025‑36911 referred to as WhisperPair) could allow an attacker within Bluetooth range to impersonate a trusted device, potentially enabling unauthorized pairing, device control, audio interception, or limited device‑tracking. With FW 4.6.0 (Jabra Elite 8 Active and Jabra Elite 10 Gen 1) and FW 2.6.0 (Jabra Elite 8 Active and Jabra Elite 10 Gen 2) this vulnerability is mitigated. |
29/09/2025 | CVE-2025-20700 | The vulnerability allowed attackers within Bluetooth range to access the headset without pairing or authentication. In rare cases, this could result in unauthorized control of the headset, microphone eavesdropping, or access to recent call or media activity. It has been fully addressed in Jabra Perform 75 (FW 2.28.0). The vulnerability was resolved by 29/09/2025. |
19/09/2025 | CVE-2025-20700 | The vulnerability allowed attackers within Bluetooth range to access the headset without pairing or authentication. In rare cases, this could result in unauthorized control of the headset, microphone eavesdropping, or access to recent call or media activity. |
29/04/2025 | CVE-2025-2783 | The vulnerability has been fully addressed in Jabra Direct release 6.22.11401 The vulnerability was resolved by upgrading the Electron framework used for the desktop application. |
26/09/2024 | Secure pairing in DECT products | |
15/04/2024 | Arbitrary Code Execution in Jabra Direct Online application | A potential vulnerability initially reported by RIPEDA Consulting on 2023-12-23 affecting the handling of the Electron fuse 'RunAsNode' has been addressed in Jabra Direct release 6.14.08801 |
19/03/2024 | CVE-2023-4863 (update) | The vulnerability has been fully addressed in Jabra Direct release 6.13.01801 while Personal Base Screen Image feature has been reverted back |
18/10/2023 | CVE-2023-4863 | The vulnerability has been addressed in Jabra Direct release 6.11.28601 by removing the Personal Base Screen Image which was available for Jabra Engage 75 |
22/04/2021 | Security Incident Bulletin Version 2.0 |