Welcome to the HID Global Security Resources Center. This secure site is constructed to provide a destination for reporting known security issues with HID Global products or technologies. Experienced industry experts will identify, analyze, and respond to known vulnerabilities and provide action steps to help you manage security risks.
To access information and instructions on how to use the HID Global Security Resources Center please click on the topics below.
HID Global's Responsible Disclosure Policy
HID Global believes that the disclosure of vulnerabilities is essential for improving the quality of our products and services, safety of our customers that rely on them, and awareness as to their choices relative to preserving their specific interests. HID Global values insight from the security research community and welcomes disclosure and collaboration with this community.
HID Global values the insight and commitment of security researchers and other vulnerability investigators to make the world a safer place by discovering vulnerabilities of security solutions and providing mechanisms to privately report them with legitimacy and integrity. Responsible disclosure ensures that security access infrastructure is tested and proven reliable. Moreover, the commitment to mitigate vulnerabilities is reassuring for our customers and the security industry as a whole.
The following is HID Global’s responsible disclosure policy:
- HID Global will disclose known vulnerabilities and their fixes to its customers in a manner that protects HID product end-users. Disclosures made by HID Global will include credit to the person who first identified the vulnerability, unless otherwise requested by the one who reported it.
- HID Global is open to communication and working with security researchers who come to HID Global with a shared interest to improve security and coordinate the distribution of information that includes both the vulnerability and the solution that addresses it.
- HID Global will publicly acknowledge in a written advisory the work of a security researcher who brings the company valid information about a vulnerability privately and then works with HID Global to coordinate the public announcement after a fix or patch has been developed and fully tested within a reasonable amount of time to be effective.
- Security researchers are allowed to post a link to the HID Global advisory on their own web sites as recognition for minimizing risks for the greater good and helping end-users protect themselves.
We ask the security researcher community to work with HID Global to coordinate the public disclosure of a vulnerability. Pre-maturely revealing a vulnerability publicly without first notifying HID Global could hurt organizations, exposing sensitive information and putting people and organizations in danger of malicious attacks.
This is why HID Global strongly advocates a two-step process: first, private disclosure of a potential vulnerability to HID Global. Once the vulnerability is validated and resolved, HID Global coordinates the public disclosure, which includes the recognition of the security researcher’s discovery, confirming that credit is given to the right person(s).
We also ask that researchers to recognize that our action to investigate, valid and remediate reported vulnerabilities varies based on complexity and severity. We will communicate expected timelines, changes and collaborate where possible. In addition, we request that researchers to not perform Denial of Service mechanisms or compromise HID user infrastructure or personal; information while doing so. Therefore, we request to contact us where we may provide products or specific test accounts for such purposes where reasonably necessary.
Like other leading companies, HID Global applies industry best practices for coordinated disclosure of vulnerabilities to protect the security ecosystem, ensure that customers get the highest quality information, and drive public discourse about ways to improve products, protocols, methodologies, standards and solutions.
As part of its responsible disclosure program, HID Global is seeking relationships with security researchers who adhere to a coordinated, shared responsibility approach to publicly disclosing a vulnerability. HID Global invites security researchers and other vulnerability investigators to join us in this effort.
CALL TO ACTION
If you believe you have discovered a vulnerability, click on the “Reporting Guidelines” tab in this HID Global Security Resources Center for instructions on how to contact the HID Global Security Response Team to report your finding privately.
Security Issue Reporting Guidelines
Steps to Report a Vulnerability.
Please include the information below in your e-mail report:
- First and last name
- Company name
- Contact phone number (optional)
- Preferred e-mail contact
- General description of vulnerability
- Product containing vulnerability (hardware & software versions), part numbers
- Tools, hardware and other configurations required to trigger the event
- Any security or service pack updates applied
- Document instructions to reproduce the event
- Sample code, proof of concept or executable used to produce event
- Definition of how the vulnerability will impact a user including how the attacker could breach security on-site
- Affected product
- System Details (develop for range of HID products)
- Technical Description and steps to reproduce
- PoC (link)
- Other parties and products involved
- Disclosure plans/dates/drivers
- What was the purpose and scope of research being performed when found (context)?
|HIGH||HID-PSA-2022-003||BN_mod_sqrt() – Denial of Service||ActivID Authentication Appliance||09-MAY-2022|
|CRITICAL||HID-PSA-2022-002||HID SAFE – Yellowfin and SpringShell||HID SAFE versions 5.13 to version 5.17||29-APR-2022|
|HIGH||HID-PSA-2022-001||iOS Device State Detection||HID Approve||13-APR-2022|
|CRITICAL||HID-PSA-2021-05v3||Apache Log4j||ActivClient 7.3||05-JAN-22|
|CRITICAL||HID-PSA-2021-004v4||Apache Log4j||Authentication Appliance
|Active Investigation||HID-PSA-2021-003v5||Apache Log4j||TBD||23-DEC-21|
|Information||HID-PSA-2021-02||Denial of Service Attacks on Bluetooth Enabled Readers||HID® iCLASS SE® Readers with a Bluetooth module,
HID® iCLASS SE® Express & RB25F Readers,
HID® Signo™ Readers,
HID® iCLASS SE® Reader Modules with BLE Extender modules,
HID® OMNIKEY® Readers 5x27CK
|Active Investigation||HID-PSA-2020-002v3||nRF52 Fault Injection||HID® iCLASS SE® Express R10
HID® iCLASS SE® RB25F
HID® Signo™ Readers (models 20, 40, 20K, 40K, 25B)
|CRITICAL||HID-PSA-2020-001||CSRF in OMNIKEY 5x27 Desktop Readers||OMNIKEY® 5427 and OMNIKEY 5127 Readers||02-NOV-2020|