Program Overview
Allegion runs a vulnerability disclosure program on HackerOne. The program has 134 in-scope assets and is managed by HackerOne's triage team.
134
In-Scope Assets
4h
Avg Response
80%
Efficiency
100d
Avg Resolve
In-Scope Assets
| Asset | Type | Max Severity | Eligible |
|---|---|---|---|
| *.allegion.com | WILDCARD | Critical | No Bounty |
| *.allegionengage.com | WILDCARD | Critical | No Bounty |
| *.isonaspureaccesscloud.com | WILDCARD | Critical | No Bounty |
| *.my-mobilekey.com | WILDCARD | Critical | No Bounty |
| *.yonomi.co | WILDCARD | Critical | No Bounty |
| 9500IQ / 2800IQ Senior Swing Series Operators | OTHER | Critical | No Bounty |
| Aero USB RFID Reader | HARDWARE | Critical | No Bounty |
| BLEGateway (IF-4041) | HARDWARE | Critical | No Bounty |
| CISA Aero PMS Service (Windows) | OTHER | Critical | No Bounty |
| CISA Reader App (Windows) | OTHER | Critical | No Bounty |
| CISA Reader App (iMac) | OTHER | Critical | No Bounty |
| Domo Connexa Button | HARDWARE | Critical | No Bounty |
| Encoder 2 | HARDWARE | Critical | No Bounty |
| Interflex Managed Services (cloud) | OTHER | Critical | No Bounty |
| Interflex Software IF-6020 | OTHER | Critical | No Bounty |
| Interflex Software IF-6040 | OTHER | Critical | No Bounty |
| Interflex Software SP-EXPERT | OTHER | Critical | No Bounty |
| Interflex Terminals access control | HARDWARE | Critical | No Bounty |
| Interflex Terminals time recording | HARDWARE | Critical | No Bounty |
| Interflex controllers | HARDWARE | Critical | No Bounty |
| Interflex desktop readers and encoders | HARDWARE | Critical | No Bounty |
| MyEVO Lock Controller | HARDWARE | Critical | No Bounty |
| MyEVO RFID Transponder | HARDWARE | Critical | No Bounty |
| OpenX Wall Reader | HARDWARE | Critical | No Bounty |
| OpenX eCylinder | HARDWARE | Critical | No Bounty |
| OpenX eHandle | HARDWARE | Critical | No Bounty |
| Schlage CTE Single Door Controller | HARDWARE | Critical | No Bounty |
| Schlage Control | HARDWARE | Critical | No Bounty |
| Schlage Encode | HARDWARE | Critical | No Bounty |
| Schlage GWE Gateway | HARDWARE | Critical | No Bounty |
| Schlage LE/LEB | HARDWARE | Critical | No Bounty |
| Schlage NDE/NDEB | HARDWARE | Critical | No Bounty |
| Smart Software 4 | OTHER | Critical | No Bounty |
| Von Duprin RU/RM | HARDWARE | Critical | No Bounty |
| Wall Reader 2 | HARDWARE | Critical | No Bounty |
| XE360 | HARDWARE | Critical | No Bounty |
| XE360 with RealSync | HARDWARE | Critical | No Bounty |
| allegion.ca | URL | Critical | No Bounty |
| brio.com.au | URL | Critical | No Bounty |
| brionz.com | URL | Critical | No Bounty |
| briouk.com | URL | Critical | No Bounty |
| briousa.com | URL | Critical | No Bounty |
| com.allegion.IFkey | APPLE_STORE_APP_ID | Critical | No Bounty |
| com.allegion.access.store | APPLE_STORE_APP_ID | Critical | No Bounty |
| com.allegion.cisa.openx | APPLE_STORE_APP_ID | Critical | No Bounty |
| com.allegion.cisa.openx | GOOGLE_PLAY_APP_ID | Critical | No Bounty |
| com.allegion.cisa.openx_key | GOOGLE_PLAY_APP_ID | Critical | No Bounty |
| com.allegion.cisa.openxkey | APPLE_STORE_APP_ID | Critical | No Bounty |
| com.allegion.cisa.smartaccess | APPLE_STORE_APP_ID | Critical | No Bounty |
| com.allegion.cisa.smartaccess | GOOGLE_PLAY_APP_ID | Critical | No Bounty |
Showing 50 of 134 in-scope assets. View all on HackerOne.
Out-of-Scope Assets
- staebapp01.allegion.com
- stczpisupplier.allegion.com
- stisupplier.allegion.com
Tips for Hacking Allegion
- Read the policy — Understand what's in scope, out of scope, and any specific testing restrictions before you start.
- Enumerate the attack surface — Use subdomain enumeration and directory bruteforcing to map all accessible endpoints.
- Focus on high-impact bugs — Look for SQL injection, SSRF, and IDOR vulnerabilities first.
- Test authentication flows — Check for OAuth misconfigurations and CSRF in login/signup flows.
- Write clear reports — Include steps to reproduce, impact assessment, and suggested remediation. Use Burp Suite to capture evidence.
Frequently Asked Questions
How do I start hacking Allegion?
Sign up on HackerOne, read the program policy carefully, review the in-scope assets listed above, and start testing. Always stay within scope and follow responsible disclosure guidelines.
Does Allegion pay bounties?
No, Allegion runs a Vulnerability Disclosure Program (VDP) without monetary rewards. You may receive recognition or swag.
What types of vulnerabilities does Allegion accept?
Allegion accepts reports for vulnerabilities found in their 134 in-scope assets. Common accepted vulnerability types include XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE. Check the program policy for specific exclusions.