Security Center


for secure identity solutions product security
is a top priority

security-center

Product Security

The HID Global Product Security Reporting Center is a secure and structured mechanism for reporting potential security issues with HID Global products, including those products under all of HID's primary brands: HID®, ActivIdentity®, EasyLobby®, FARGO® and LaserCard®.

Reports submitted through the Product Security Reporting Center are investigated, assessed, and validated within the framework of HID Global’s security response process and industry standard practices. The HID Global Security Response Team defines any appropriate actions which may be required to mitigate potential security issues and to keep customers informed.

Product Security Response

After receiving a product security report, the HID Global Security Response Team will issue an acknowledgement to the reporting party. Throughout the investigation process, the HID Global Security Response Team will communicate as required with reporting parties for purposes of confirming and validating the exact nature of the reported issue.


Report a Vulnerability

HID Global strongly recommends that all security vulnerability claims be sent to the HID Security Response Team via email at [email protected] using the HID Security Response PGP key. Note: HID Global encourages the use of this key for all sensitive information.

Please report any potential or real security vulnerability claim with any HID Global product to the HID Security Response Team [email protected]

Important Information to Include in your E-Mail report

  • First and last name
  • Company name
  • Contact phone number (optional)
  • Preferred e-mail contact
  • General description of vulnerability
  • Product containing vulnerability (hardware & software verisons), part numbers
  • Tools, hardware and other configurations required to trigger the event
  • Any security or service pack updates applied
  • Document instructions to reproduce the event
  • Sample code, proof of concept or executable used to produce event
  • Definition of how the vulnerability will impact a user including how the attacker could breach security on-site

HID Security Response PGP key

HID's hexadecimal PGP fingerprint:

AE39 3014 69EA 965A 0F6C 84B8 F6AF E172 DE1F 54A6

Visit PGP's Global Directory to look up HID's Key or copy it below:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP Desktop 10.1.0 (Build 860)
mQENBE0RbLUBCADC/KFPYIrHcLNxT85X9ObrywIDAU1e0ZA1Y17Wi0+Gn5vX8hZO
JiAvPHLBvdFqe5uzoujKnFk8yFVrC614b9094rlVCwqvXvD6WVcoAwSZgnLgSvWe
Tjtr/quMjjOrfDrx2xHxQarPxbe1W3wZBhsB/r7gUqD18QFHcUp8fJs8BmhoDSgG
5lwL3OYKEEIG6XIBfcYzM4ZxuJtb+uDHTeSq3TkasdWESSe9j3IWJ5AkoDY7OLvt
wktGz2/MLkDTjdcAYxwvq59JXPmHD/MiOl6beawEaHZ4oVfKjukfOvP8VIBW1f2M
ePU0T12kKbCY3wymw3nNOqKWWfDbjEKLEt2fABEBAAG0IUhJRCBHbG9iYWwgPHNl
Y3VyZUBoaWRnbG9iYWwuY29tPokBjgQQAQIAeAUCTRFvnxsUAAAAAAARAAFrZXkt
dXNhZ2VAcGdwLmNvbY8wFIAAAAAAIAAHcHJlZmVycmVkLWVtYWlsLWVuY29kaW5n
QHBncC5jb21wZ3BtaW1lCAsJCAcDAgEKAhkBBRuDAAAABRYAAwIBBR4BAAAABhUI
CQoDAgAKCRD2r+Fy3h9UpncoB/9N8b2bREVI2Wri3G+32XXi284+apN6qA7JXPN7
ZBuhiUSf/MtXd6it+sQKqxpKmkhhlT37fyqB3+OzYtwzSbeQa2am4HwCMkJ7VcmY
96PlsGRE49etPdvLQq0yQTlxBYNx5fTcCmJTFf4zgAywhfKsKfeAFtFe1DBCWPRR
137/VOESLzGdwv5RwARt/rayBv2Lfj6xGU7TV1dx1yOof0HxbXLCe0OHc3Md3BJV
VKI/yvCNyn0z+g7MLy0SA3qZ/BkxxtHCkhey7s0kXsPgc/KdrBxDmRNGrR+yY7QX
U3tldASZSebxIf6Sb/dF8G48MXKsIFVEI2Hw/wwVqmjtApuctF9ISUQgR2xvYmFs
IFNlY3VyaXR5IFJlc3BvbnNlIFRlYW0gPENOPUhJRCBHbG9iYWwgU2VjdXJpdHkg
UmVzcG9uc2UgVGVhbS9PVT1JUlYvT1U9TkEvTz1JVEdASVRHPokBiwQQAQIAdQUC
TRFvnxsUAAAAAAARAAFrZXktdXNhZ2VAcGdwLmNvbY8wFIAAAAAAIAAHcHJlZmVy
cmVkLWVtYWlsLWVuY29kaW5nQHBncC5jb21wZ3BtaW1lCAsJCAcDAgEKBRsBAAAA
BRYAAwIBBR4BAAAABhUICQoDAgAKCRD2r+Fy3h9UpthWB/4ny7//xe1IllzF3O7r
yErxGDewPpUC/POfLqLRk93oQGBbN0oPL0v04m8bd/WnBQe3KgoEBVpOruQm6gpB
5QoZjUFYYke09PejPNTvR4/dszCX3DM2A3dTRMdgGsWL3gnjOcYb05kb3ZLT1QyY
wcXmeVtoZT6nLklAooKgL50484UvG6z6Qa1QXXuF62WqUNeVjCb8qlKkfJk4B3ck
yuG5hUgSZFptxmjSGzJFokixiv6PQ6RuYKKRjlF4Ec3Z1tp1umDCATsaRPHDqRhA
iXHkXZJGIUgt58NsOTekqytBOYzr+1sanfTRf4c8HTM/VlCpEAZKVXoz5xnuOR3B
113iuQENBE0RbLYBCAC9icM0IAUpQpusx1b2CAles66L4oBmRSoMoNKIa4PYe0Qo
mLf9eR0KtkwluKXnjdjaiVPiw4Ow/TV/tl2MU2C7Wp28XmfvZU7v2kZjpA7vZF4O
ADun83pVuL+2xH/kUzkjgeOmZf9P3g6IhY42uP1SaHl6TCVmAqd/UrZz1PUmTXQ4
UtF8vB7iIdMPVe8IQrDsTeVxxFwf2IvnGdLBJ5bbxV3BXAPH0ZcPWmszvDwFD1W+
F6qo5m7Lo/px0Ugsb3X03GnmtZiefdMG6D8El55ridG4VCBo+dISr6DvLO+Kj0VK
ZDJGxTirqLOQhwXSeMBHcPenJJAq3cUVOWCgtWXLABEBAAGJAkEEGAECASsFAk0R
bLcFGwwAAADAXSAEGQEIAAYFAk0RbLYACgkQEXIb6vX6E0FusQf/bFxS0GqzvTRr
V087f5/wFkZGZ9jf7rJ6Wszn+HvfBwfQW5QP36GHLq2MvpbO6t++bKYAYX/MuTFD
vzI2GJOVhVw31lb5DXAkQ4dfcv/Dt1KibgY/xJW5fBO163OF5Kgg64HEdiML1YJp
GquxFTh9Fl3vAVFzHZ5AKJNY2ppYGLOs+HBsaBJzV174miQzZT7CCAWyWd4wVBgS
kMo9QiZm3EO4Cw9obyDoIyilhHig0uQoxwuRWZfQ3XCWgoSM++pJXowxge3r1qi7
V8091YQOuqrX+7itqeY7UVObA5kmuXWeb8TQJd4ePYi2MnPf89CsJhakgEJizhzS
D0m30+KPHwAKCRD2r+Fy3h9Upq10B/40EjDDNVn0MkQslvOFoM/9MyDqpl8wFsYy
pAO5dtFRLE4PJBLMQBLmT7WxFJjw3MNbFpxbEjT8eHKsgU021bz9Rrdk5oCbdh1A
9f01UIXO+Ba2XoYxKdpIxABMR1nM/1GrPtZ8k5SmuYKxp1gexpAzX1hLBph0h/Gt
LzyfIWbOXBB1U83Y0txtpo/hHcpmF/NDc/Oie+Jpod5uz4lLaHcyBQE3GUEP45B2
UYSnnMpEPAvFmpG8Urp+JWV32lcUc1JCPwDC+yIx+gqwAyFf8vk+7IN2kFZM7MUp
ESdbShIMQJZibrLCpxUzzr+W6wBtsUAg7md0DWSwyLNX6APk33QN
=s2aU
-----END PGP PUBLIC KEY BLOCK-----

 


Code Signing Public Keys

HID Global® installation packages are digitally signed allowing you to verify the authenticity of our software before installation. We recommend installing HID software only after such verification.

Windows

On Microsoft® Windows®, verification is based on X.509 technology. The key of HID certification authority of choice is pre-loaded by Microsoft in the Windows key store so that verification is seamless.

To verify the validity of a MSI or MSP installer package, go to the Digital Signatures tab of the Windows file properties (right-click > Properties). Then select the HID Global signature from the signature list and click Details. The details should show the "This digital signature is OK" message.

 

Linux

On Linux®, verification is based on PGP technology. As no certification authority keys are pre-loaded on your system, you have to register our public key into your local key store. HID Global's PGP code signing public keys are available on most major key servers (such as PGP Global Directory at https://keyserver.pgp.com).

After downloading the key file (see below), apply the following steps depending on your operating system:

Step Red Hat® Enterprise Linux Debian® or Ubuntu®
Import public key rpm --import <keyfile> gpg --import <keyfile>
Verify package signature rpm -K <rpmfile> gpg --verify <debfile>
Install package rpm -i <rpmfile> dpkg -i <debfile>

On Debian and Ubuntu, verification requires that the HID Global public key is trusted by your system:

  • If the PGP Global Directory verification key is already trusted by your system and you downloaded the HID Global public key from PGP Global Directory, then HID Global’s public key is automatically trusted after import.
  • If you have downloaded HID Global’s public key from a different key server or do not want to trust all keys downloaded from PGP Global Directory, you can trust our public key by signing it with your personal key after import using the following command:
gpg --sign-key <keyid>
  • If you do not have a personal key, you can create one using the following command:
gpg --gen-key
  • If you want to trust all keys downloaded from PGP Global Directory, you need to download the PGP Global Directory verification key, import it, sign it with your personal key, and set its trust level to ‘fully trusted’:
gpg --recv-keys CA57AD7C   # automatic download and import from your default key server
gpg --sign-key CA57AD7C
gpg --edit-key CA57AD7C trust

 

Code Signing Key Files

The following code signing key file is used in HID Global ActivID products.

The key ID is: 66E8AB60 (fingerprint: 5CB2 ABC8 C7F1 687B 60CD C77A 9386 BBCE 66E8 AB60).

You can download it from PGP Global Directory.

You can also copy it below:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP Universal 2.9.1 (Build 347)
mI0ETgsX2AEEAK2BsFs1QToEctBm+Gc6bMpwwOSY0K+8qL+3yvt2R2Q4u8a93zlE
hfbbQeAHFvHo3F5SGmXaQ7WWYvkrWNapcXZN+x1pmQzUivyOQpmow9LeqToPxbnQ
VSEJ8eUfQ2C9m3PKIf/13PrDpOE7HxC2P2Ts5+//qQ0HD2FRUy+07g5zABEBAAG0
TkFjdGl2SWRlbnRpdHkgRW5naW5lZXJpbmcgKENvZGUgU2lnbmluZyAyMDExLTA2
IFJTQSkgPGVuZ210QGFjdGl2aWRlbnRpdHkuY29tPokAuAQTAQIAIgUCTgsX2AIb
AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQk4a7zmboq2B4RgP+NIYvwGjj
y6eV3Wte9pnD1aQNQ7JkGs3rfYJdJYi/3ODfpMJGkMR6v4IThko191EJFTRiy6yo
qJud19wuYxhrxwS3wHMBeu6nqxfVZSOy1mSGGlzhBLePTXreKE7oFKk3Pke50VZW
TtNwV0wYYXZMBsXRD89y/+1Mi2a8EsP/PYyJASIEEAECAAwFAlNMNK4FAwASdQAA
CgkQlxC4m8pXrXwDnggAvAP3ZwNpfp03dX7N9L6HFipd+5P2oJa0k3uGIMkxeLYt
TiKz8GDKfLqp+4YyR9RqRPJo0sypDzzxz/dPuMoUB9/FADlYUKhmUsSeEyz7Jt5O
M/KNN1YPNqTpBsTO5JmBmPuYdcQkaIAMiDAot6UKzwSCh6AfDpqC4qBn4nWvn1CM
+7pa8QV1NujVHognuUfWZvqA4Mj/Z+RwIOY0w2lFRNUrsgszgPplUX4RsNYrhNLE
EOASv4gnkm4vVP/qULAN3v08Ydg1D5ppZn4E1WrrWrv41HEHxaQSH3I4B/viZcEw
KONur8hskaWa5cu/59nTYclmu8wdSdnj6ZTM8cs8EA==
=TGhl
-----END PGP PUBLIC KEY BLOCK-----