Security Center

Welcome to the HID Global Security Resources Center. This secure site is constructed to provide a destination for reporting known security issues with HID Global products or technologies. Experienced industry experts will identify, analyze, and respond to known vulnerabilities and provide action steps to help you manage security risks.

To access information and instructions on how to use the HID Global Security Resources Center please click on the topics below.

Disclosure Policy

Reporting Guidelines

HID Product Security Advisories

 

Disclosure Policy

HID Global's Responsible Disclosure Policy

HID Global believes that the disclosure of vulnerabilities is essential for improving the quality of our products and services, safety of our customers that rely on them, and awareness as to their choices relative to preserving their specific interests. HID Global values insight from the security research community and welcomes disclosure and collaboration with this community.

HID Global values the insight and commitment of security researchers and other vulnerability investigators to make the world a safer place by discovering vulnerabilities of security solutions and providing mechanisms to privately report them with legitimacy and integrity. Responsible disclosure ensures that security access infrastructure is tested and proven reliable. Moreover, the commitment to mitigate vulnerabilities is reassuring for our customers and the security industry as a whole.

The following is HID Global’s responsible disclosure policy:

  • HID Global will disclose known vulnerabilities and their fixes to its customers in a manner that protects HID product end-users. Disclosures made by HID Global will include credit to the person who first identified the vulnerability, unless otherwise requested by the one who reported it.
  • HID Global is open to communication and working with security researchers who come to HID Global with a shared interest to improve security and coordinate the distribution of information that includes both the vulnerability and the solution that addresses it.
  • HID Global will publicly acknowledge in a written advisory the work of a security researcher who brings the company valid information about a vulnerability privately and then works with HID Global to coordinate the public announcement after a fix or patch has been developed and fully tested within a reasonable amount of time to be effective.
  • Security researchers are allowed to post a link to the HID Global advisory on their own web sites as recognition for minimizing risks for the greater good and helping end-users protect themselves.

We ask the security researcher community to work with HID Global to coordinate the public disclosure of a vulnerability. Pre-maturely revealing a vulnerability publicly without first notifying HID Global could hurt organizations, exposing sensitive information and putting people and organizations in danger of malicious attacks.

This is why HID Global strongly advocates a two-step process: first, private disclosure of a potential vulnerability to HID Global. Once the vulnerability is validated and resolved, HID Global coordinates the public disclosure, which includes the recognition of the security researcher’s discovery, confirming that credit is given to the right person(s).

We also ask that researchers to recognize that our action to investigate, valid and remediate reported vulnerabilities varies based on complexity and severity. We will communicate expected timelines, changes and collaborate where possible. In addition, we request that researchers to not perform Denial of Service mechanisms or compromise HID user infrastructure or personal; information while doing so. Therefore, we request to contact us where we may provide products or specific test accounts for such purposes where reasonably necessary.

Like other leading companies, HID Global applies industry best practices for coordinated disclosure of vulnerabilities to protect the security ecosystem, ensure that customers get the highest quality information, and drive public discourse about ways to improve products, protocols, methodologies, standards and solutions.

As part of its responsible disclosure program, HID Global is seeking relationships with security researchers who adhere to a coordinated, shared responsibility approach to publicly disclosing a vulnerability. HID Global invites security researchers and other vulnerability investigators to join us in this effort.

CALL TO ACTION

If you believe you have discovered a vulnerability, click on the “Reporting Guidelines” tab in this HID Global Security Resources Center for instructions on how to contact the HID Global Security Response Team to report your finding privately.

 

Reporting Guidelines

Security Issue Reporting Guidelines

Steps to Report a Vulnerability.

Please report any potential or real security vulnerability claim to the HID Security Resources Team via e-mail at secure@hidglobal.com. Please encrypt your e-mail with PGP and this public key.

Please include the information below in your e-mail report:

  • First and last name
  • Company name
  • Contact phone number (optional)
  • Preferred e-mail contact
  • General description of vulnerability
  • Product containing vulnerability (hardware & software versions), part numbers
  • Tools, hardware and other configurations required to trigger the event
  • Any security or service pack updates applied
  • Document instructions to reproduce the event
  • Sample code, proof of concept or executable used to produce event
  • Definition of how the vulnerability will impact a user including how the attacker could breach security on-site
  • Affected product
  • System Details (develop for range of HID products)
  • Technical Description and steps to reproduce
  • PoC (link)
  • Other parties and products involved
  • Disclosure plans/dates/drivers
  • What was the purpose and scope of research being performed when found (context)?

 

HID Product Security Advisories

 

Severity Identifier Title Product Date
HIGH HID-PSA-2022-003 BN_mod_sqrt() – Denial of Service ActivID Authentication Appliance 09-MAY-2022
CRITICAL HID-PSA-2022-002 HID SAFE – Yellowfin and SpringShell HID SAFE versions 5.13 to version 5.17 29-APR-2022
HIGH HID-PSA-2022-001 iOS Device State Detection HID Approve 13-APR-2022
CRITICAL HID-PSA-2021-05v3 Apache Log4j ActivClient 7.3 05-JAN-22
CRITICAL HID-PSA-2021-004v4 Apache Log4j Authentication Appliance
Authentication Server
17-DEC-2021
Active Investigation HID-PSA-2021-003v5 Apache Log4j TBD 23-DEC-21
Information HID-PSA-2021-02 Denial of Service Attacks on Bluetooth Enabled Readers HID® iCLASS SE® Readers with a Bluetooth module,
HID® iCLASS SE® Express & RB25F Readers,
HID® Signo™ Readers,
HID® iCLASS SE® Reader Modules with BLE Extender modules,
HID® OMNIKEY® Readers 5x27CK
9-AUG-21
Information HID-PSA-2021-01 Microsoft Exchange None 17-MAR-2021
Information HID-PSA-2020-003 SolarWinds None 18-DEC-2020
Active Investigation HID-PSA-2020-002v3 nRF52 Fault Injection HID® iCLASS SE® Express R10
HID® iCLASS SE® RB25F
HID® Signo™ Readers (models 20, 40, 20K, 40K, 25B)
5-APR-2021
CRITICAL HID-PSA-2020-001 CSRF in OMNIKEY 5x27 Desktop Readers OMNIKEY® 5427 and OMNIKEY 5127 Readers 02-NOV-2020