Security Center

Welcome to the HID Global Security Center. We take physical and digital security very seriously, with our experienced teams continuously working to strengthen security across our portfolio. To help this ongoing effort, we welcome input from customers, partners, end-users, and industry experts.

This site is designed to provide a destination for reporting security issues with HID Global products or technologies. Once submitted, our team will work quickly to identify, analyze, and respond to known vulnerabilities and provide action steps to help you manage security risks.

To access information and instructions on how to use the HID Global Security Resources Center, please click on the topics below.

Disclosure Policy

Report Vulnerability

HID Product Security Advisories

 

Disclosure Policy

HID Global's Responsible Disclosure Policy

HID Global Corporation's (“HID” or “HID Global”) mission is to power the trusted identities of the world's people, places, and things and making it possible for people to transact safely, work productively, and travel freely. We recognize that succeeding in this mission depends on our continued ability to provide secure products, services, and websites.

The importance of the security community is well-recognized within HID, and we welcome disclosures and collaboration with security researchers and others.

If you believe you have found a security vulnerability that could impact HID Global, our customers, or our end users, we ask that you notify us immediately. We will investigate all legitimate reports.

We appreciate your contributions to protecting our customers, users, and businesses.

Scope

All HID Global products, services, and websites are within scope.

Please note that we cannot authorize out-of-scope testing on a third-party products or services. Vulnerabilities discovered in third-party products or services should be reported to appropriate vendor.

Reporting

Please use the form below to report a vulnerability.

Disclosure

  • HID Global will follow standard industry practices for coordinated and responsible vulnerability disclosure. We ask all vulnerability reporters to do the same by allowing HID Global the opportunity to remediate reported vulnerabilities and for us to notify our affected customers and users before you disclose or share the vulnerability or methods to exploit with any third party.
  • HID Global product security advisories will be made publicly available at https://hidgobal.com/security-center and/or directly communicated to affected customers.

Safe Harbor

HID Global believes that security research performed in good-faith should be provided safe-harbor. Therefore, HID Global will not initiate or recommend any law enforcement or civil lawsuits related to activities conducted in good faith and compliance with all applicable laws, and in a manner consistent with the expectations of this policy.

Expectations

  • Make a good faith effort to avoid harm to HID Global, our customers, and our end-users, including, but not limited to: privacy violations, destruction of data, and interruption or degradation of our services.
  • Do not access or attempt to access HID Global offices, data centers, or user accounts.
  • Do not test for spam, perform phishing, social engineer, or intentionally cause denial of service issues for HID Global services.
  • Do not access or attempt to access our customer or end-users’ offices, data centers, user accounts, or attempt other forms of penetration testing without the direct, written approval of the system owner.
  • Comply with all applicable laws and regulations; do not disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.
  • If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required to demonstrate a proof of concept. After HID validates your report, properly dispose of all copies of the data.
  • Promptly report your findings to us through our approved channels.

 

HID Product Security Advisories

Severity Identifier Title Product Date Documents
HIGH HID-PSA-2024-001 Sensitive Data Extraction from Reader Configuration Cards Reader configuration cards 29-01-2024 Sensitive Data Extraction from Reader Configuration Cards
HIGH HID-PSA-2024-002 Secure Channel Downgrade in Encoders/Readers HID iCLASS® SE™ CP1000 Encoder 29-01-2024 Secure Channel Downgrade in Encoders/Readers
HIGH HID-PSA-2023-001 SAFE Visitor Manager Portal (CVE-2023-2904) SAFE 01-06-2023 SAFE Visitor Manager Portal
HIGH HID-PSA-2022-004 OpenSSL (CVE-2022-3602 & CVE-2022-3786 All 02-11-2022 OpenSSL (CVE-2022-3602 & CVE-2022-3786)
HIGH HID-PSA-2022-003 BN_mod_sqrt() – Denial of Service ActivID Authentication Appliance 09-05-2022 BN_mod_sqrt() – Denial of Service
CRITICAL HID-PSA-2022-002 HID SAFE – Yellowfin and SpringShell HID SAFE versions 5.13 to version 5.17 29-04-2022 HID SAFE – Yellowfin and SpringShell Advisory
HIGH HID-PSA-2022-001 iOS Device State Detection HID Approve 13-04-2022 HID Approve Security Advisory
CRITICAL HID-PSA-2021-05v3 Apache Log4j ActivClient 7.3 05-01-2022 Apache Log4j 5v3 (CVE 2021 44228) TLP
CRITICAL HID-PSA-2021-003v5 Apache Log4j All 23-12-2021 ApacheLog4j 03v5
CRITICAL HID-PSA-2021-004v4 Apache Log4j Authentication Appliance
Authentication Server
17-12-2021 HID PSA 2021 04v4
Information HID-PSA-2021-02 Denial of Service Attacks on Bluetooth® Enabled Readers HID® iCLASS SE® Readers with a Bluetooth® module,
HID® iCLASS SE® Express & RB25F Readers,
HID® Signo™ Readers,
HID® iCLASS SE® Reader Modules with Bluetooth Low Energy Extender modules,
HID® OMNIKEY® Readers 5x27CK
09-08-2021 Denial of Service Attacks on Bluetooth enabled Reader Products
Active Investigation HID-PSA-2020-002v3 nRF52 Fault Injection HID® iCLASS SE® Express R10
HID® iCLASS SE® RB25F
HID® Signo™ Readers (models 20, 40, 20K, 40K, 25B)
05-04-2021 nRF52 Fault Injection
Information HID-PSA-2021-01 Microsoft Exchange None 17-03-2021 Microsoft Exchange
Information HID-PSA-2020-003 SolarWinds None 18-12-2020 SolarWinds
CRITICAL HID-PSA-2020-001 CSRF in OMNIKEY 5x27 Desktop Readers OMNIKEY® 5427 and OMNIKEY 5127 Readers 02-11-2020 CSRF in OMNIKEY 5x27 Desktop Readers
To set up the RSS subscription, you must use an RSS reader of some type. A common approach is Outlook. To set up the RSS subscription in Outlook: Go to the RSS Subscriptions folder, right click on it, then click on "Add a new RSS feed.” Paste in https://www.hidglobal.com/security-center/security-advisories. You will now have a new folder in Outlook where all the security center feed updates will go.