Welcome to the HID Global Security Center. We take physical and digital security very seriously, with our experienced teams continuously working to strengthen security across our portfolio. To help this ongoing effort, we welcome input from customers, partners, end-users, and industry experts.
This site is designed to provide a destination for reporting security issues with HID Global products or technologies. Once submitted, our team will work quickly to identify, analyze, and respond to known vulnerabilities and provide action steps to help you manage security risks.
To access information and instructions on how to use the HID Global Security Resources Center, please click on the topics below.
HID Product Security Advisories
HID Global's Responsible Disclosure Policy
HID Global Corporation's (“HID” or “HID Global”) mission is to power the trusted identities of the world's people, places, and things and making it possible for people to transact safely, work productively, and travel freely. We recognize that succeeding in this mission depends on our continued ability to provide secure products, services, and websites.
The importance of the security community is well-recognized within HID, and we welcome disclosures and collaboration with security researchers and others.
If you believe you have found a security vulnerability that could impact HID Global, our customers, or our end users, we ask that you notify us immediately. We will investigate all legitimate reports.
We appreciate your contributions to protecting our customers, users, and businesses.
All HID Global products, services, and websites are within scope.
Please note that we cannot authorize out-of-scope testing on a third-party products or services. Vulnerabilities discovered in third-party products or services should be reported to appropriate vendor.
Please use the form below to report a vulnerability.
- HID Global will follow standard industry practices for coordinated and responsible vulnerability disclosure. We ask all vulnerability reporters to do the same by allowing HID Global the opportunity to remediate reported vulnerabilities and for us to notify our affected customers and users before you disclose or share the vulnerability or methods to exploit with any third party.
- HID Global product security advisories will be made publicly available at https://hidgobal.com/security-center and/or directly communicated to affected customers.
HID Global believes that security research performed in good-faith should be provided safe-harbor. Therefore, HID Global will not initiate or recommend any law enforcement or civil lawsuits related to activities conducted in good faith and compliance with all applicable laws, and in a manner consistent with the expectations of this policy.
- Make a good faith effort to avoid harm to HID Global, our customers, and our end-users, including, but not limited to: privacy violations, destruction of data, and interruption or degradation of our services.
- Do not access or attempt to access HID Global offices, data centers, or user accounts.
- Do not test for spam, perform phishing, social engineer, or intentionally cause denial of service issues for HID Global services.
- Do not access or attempt to access our customer or end-users’ offices, data centers, user accounts, or attempt other forms of penetration testing without the direct, written approval of the system owner.
- Comply with all applicable laws and regulations; do not disrupt or compromise any data that is not your own, or further exploit a confirmed vulnerability.
- If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required to demonstrate a proof of concept. After HID validates your report, properly dispose of all copies of the data.
- Promptly report your findings to us through our approved channels.
HID Product Security Advisories
|HIGH||HID-PSA-2022-004||OpenSSL (CVE-2022-3602 & CVE-2022-3786)||All||01-NOV-2022|
|HIGH||HID-PSA-2022-003||BN_mod_sqrt() – Denial of Service||ActivID Authentication
|CRITICAL||HID-PSA-2022-002||HID SAFE – Yellowfin and SpringShell||HID SAFE versions 5.13
to version 5.17
|HIGH||HID-PSA-2022-001||iOS Device State Detection||HID Approve||13-APR-2022|
|CRITICAL||HID-PSA-2021-05v3||Apache Log4j||ActivClient 7.3||05-JAN-2022|
|CRITICAL||HID-PSA-2021-004v4||Apache Log4j||Authentication Appliance
|Information||HID-PSA-2021-02||Denial of Service Attacks on Bluetooth® Enabled Readers||HID® iCLASS SE® Readers with a Bluetooth® module,
HID® iCLASS SE® Express & RB25F Readers,
HID® Signo™ Readers,
HID® iCLASS SE® Reader Modules with Bluetooth Low Energy Extender modules,
HID® OMNIKEY® Readers 5x27CK
|Active Investigation||HID-PSA-2020-002v3||nRF52 Fault Injection||HID® iCLASS SE® Express R10
HID® iCLASS SE® RB25F
HID® Signo™ Readers (models 20, 40, 20K, 40K, 25B)
|CRITICAL||HID-PSA-2020-001||CSRF in OMNIKEY 5x27 Desktop Readers||OMNIKEY® 5427 and OMNIKEY 5127 Readers||02-NOV-2020|