Product Security

1. Guidance and recommendations for end users.

For the smartcard operating system CardOS this information is compiled in the so-called Trust Center Information package containing release notes, manuals and guidance documents. Since this package is rated ‘confidential’ it can be obtained from the manufacturer under NDA only. Please contact in case you need this information. cv-info@atos.net

For products based on ePasslet Suite, the documentation is available
• for NXP eDoc Suite via NXP DocStore.
• For Infineon Secora ID X Applet Collection with ePasslet Suite please contact Infineon Technologies AG.
• For Veridos Suite – cryptovision ePasslet Suite please contact Veridos GmbH.
For other CC certified products from Eviden please contact . cv-info@atos.net

2. Security updates for the Common Criteria certified smart card products: smart card operating systems and oncard applications/applets.

Common Criteria certification attests the evaluated security at time of evaluation. Typical validity of a Common Criteria certificate is 5 years. Security bulletins and updates will be provided for a minimum of 5 years from product certification date, unless the Common Criteria certificate is withdrawn.

3. Vulnerability responsible disclosure

Please use our PSIRT website to share any information on a potential vulnerability on one of our products.

4. Publicly disclosed vulnerabilities and cybersecurity advisories

Please refer to our PSIRT information below for all publicly disclosed vulnerabilities and cybersecurity advisories concerning our products.

EVIDEN PSIRT – Product Security Incident Response Team

Articles

Vulnerability Handling Policy

Responsible Disclosure

The EVIDEN PSIRT will handle all reports regarding vulnerabilities potentially affecting EVIDEN products with high priority. Security related topics out of the PSIRT scope may be redirected to the relevant teams on a case-by-case basis. Any request related to product support and other unrelated topics will be silently ignored.

PSIRT Public Security Bulletins

Vulnerability Handling Policy

This policy is valid for CardOS and ePasslet Suite products.

EVIDEN is committed to establishing, maintaining, and improving an Information Security Management System to mitigate the main risks it has identified relative to the security of its products and services. EVIDEN product development policy and practices prohibit any intentional behavior or product features which are designed to allow unauthorized device or network access, exposure of sensitive device information, including personal data, or a bypass of security features or restrictions. EVIDEN makes its best efforts to deliver its products without known exploitable vulnerabilities. EVIDEN encourages all parties to report suspected vulnerabilities for immediate investigation. Internal and external reports of these vulnerabilities will be managed and disclosed under the below terms.

Title

Vulnerability Handling Policy

Summary

This policy is valid for CardOS and ePasslet Suite products.

Details

1 Reporting vulnerability

EVIDEN implements a responsible disclosure process that encompasses reporting EVIDEN’s products’ vulnerabilities.

EVIDEN investigates all reports regardless of the software code version or product lifecycle status. If the product has reached its End-of-Life, EVIDEN can decide to stop any further investigation at any time. A reported vulnerability will be processed through Product Security Incident Response.

2 Coordinated Vulnerability Disclosure

Vulnerability Statements are used in the Coordinated Disclosure process to provide rapidly information on whether EVIDEN products are potentially affected.

For Common Criteria certified products there are obligations to first inform the certification body regarding any known vulnerability and to align with the certification body about further vulnerability handling.

EVIDEN Security teams manage information related to vulnerabilities according to the Traffic Light Protocol (TLP 2.0) rules together with the general confidentiality obligations of EVIDEN’s security policies.

Throughout the investigative process EVIDEN strives to work collaboratively with the source of the report (incident reporter) to confirm the nature of the vulnerability, gather required technical information, and ascertain appropriate remedial action.

When the initial investigation is complete, results SHOULD be discussed with the incident reporter, as well as a plan for resolution and public disclosure.

During any investigation, EVIDEN manages all sensitive information on a highly confidential basis. Internal distribution is limited to those individuals who have a legitimate need to know and can actively assist in the resolution. Similarly, EVIDEN asks incident reporters to maintain strict confidentiality until complete resolutions are available for customers and have been published by EVIDEN through the appropriate coordinated disclosure.

Figure A – TLP 2.0 definitions (source: [CISA-TLP])

3 Vulnerability management lifecycle

Product Security Incident Response (PSIR) is the set of processes and resources EVIDEN puts in place to address vulnerabilities and defects related to Product Security. EVIDEN leverages the PSIRT Services Framework [FIRST-PSIRT] to implement its PSIR capacity.

EVIDEN’s PSIRT is organized in two consecutive phases: Neutralization and Remediation.

4 Vulnerability Neutralization

The neutralization phase is the decision-making process during which the risk posed by an incident is evaluated. The Stakeholder-specific Vulnerability Categorization (SSVC) is a system for prioritizing actions during vulnerability management promoted by CERT-CC [UCM-SSVC]. EVIDEN follows the SSVC principles to determine its response priority. EVIDEN reserves the right to determine the type and degree of assistance it may offer in connection with any incident and to withdraw from any incident at any time, e.g., when the product has reached its End-of-Life.

EVIDEN may give priority consideration to security incidents that involve actual or potential threats to persons, property, or Critical Infrastructure Systems, as well as requests from law enforcement agencies or other incident response teams.

Figure C: Development Priority Outcomes (source: table 2 of [UCM-SSVC])

For clarity, there is no 1:1 mapping between CVSS scores and SSVC priority. A vulnerability rated at critical level under CVSS score can end with a Scheduled priority for its remediation.

5 Vulnerability Remediation

Before delivering a product firmware patch, some qualification tests SHALL be conducted by EVIDEN in conjunction with the customer. Delays are therefore mandatory to ensure an update does properly fix a vulnerability.

6 Vulnerability Communication Policy

Besides the remediation decision, the outcome of Neutralization can be a Vulnerability Statement and/or a Security Bulletin.

A Vulnerability Statement usually links public vulnerabilities with a list of EVIDEN products and provides basic status for each product: known not affected, known affected, under investigation, or fixed.

7 Reward Policy

With the agreement of the incident reporter, EVIDEN may acknowledge the reporter’s contribution during the public disclosure of the vulnerability. Upon explicit request from the incident reporter, EVIDEN will respect the incident reporter’s anonymity.

EVIDEN offers no reward for responsible reports of vulnerabilities on its products.

9 Security Bulletins

In a Security Bulletin, EVIDEN discloses the minimum amount of information to assess the impact of a vulnerability on an affected product and any potential steps needed to protect its environment. EVIDEN will try to suggest any solution, quick-fix, or workaround based on its knowledge, together with best-effort approach. “Currently no workaround available” is a valid statement in the context of the Neutralization phase. On a general basis, EVIDEN will not publicly disclose vulnerability details that could enable someone to craft an exploit before the end of the remediation phase. EVIDEN provides these security-related publications according to TLP rules.

10 References

[CERT-CC]	https://www.sei.cmu.edu/about/divisions/cert/index.cfm
[CISA-TLP]	https://www.cisa.gov/tlp
[FIRST-PSIRT]	https://www.first.org/standards/frameworks/psirts/psirt_services_framework_v1.1
[UCM-SSVC]	https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=653459

11 Disclaimer

Although EVIDEN makes effort to provide accurate and complete information, EVIDEN shall not be liable for technical or editorial errors contained in its Security Bulletins. The information is provided “as is” without warranty of any kind. To the extent permitted by the Law, neither EVIDEN nor its affiliates, subcontractors or suppliers will be liable for incidental damage, downtime cost, lost profits, damages relating to the procurement of substitute products or services, or damages for loss of data, or software restoration.

The information in this document is subject to change without notice. Product and company names mentioned herein may be trademarks of their respective owners.

Responsible Disclosure

Title

Responsible Disclosure

Summary

Details

Vulnerabilities in EVIDEN products, and/or any sensitive data breach should be directly reported to cv-info@atos.net.

The EVIDEN PSIRT will handle reports regarding vulnerabilities potentially affecting EVIDEN products according to its Vulnerability Handling Policy.

Information to provide:

To ease analysis and understanding of a vulnerability report, please make sure to provide the necessary information in your report.

** Affected Product **

Make sure you provide the complete name of the product, and not only a brand such as CardOS.

** Vulnerability Summary **

Please summarize the identified vulnerability.

** Firmware / Software version **

If relevant, please provide the firmware / software version of the vulnerable product.

** Method / Protocol / URL used to access **

Describe the step-by-step procedure which can be used to evidence the vulnerability.

** Authenticated / unauthenticated status **

Don’t forget to describe the prerequisites of the procedure.

** Expected / Unexpected behavior **

Describe what you expected as a behavior, or what unexpected behavior you observed revealing the vulnerability.

** Contact **

Please provide contact information (Full Name, Phone number, etc.).

Your personal data will be processed according to Eviden Privacy Policy for the sole purpose of Product Security Incident Response.

OpenPGP:

—–BEGIN PGP PUBLIC KEY BLOCK—–

mQINBGoz35kBEACTd9exIjRwGTU/ysh2Op9ZhXf2wmfEDBJ2ga/GKM7Ua1FHO04D
qOstiVMJiWzVqOc5QI6Nu7Bw0KLat1Y5/vsFM5aLyBzKzSb0HnEQfCJXY7i/LzE4
hvwimeCXta1eCdfSwdCsPQCKy4wH3CmhV9aQEYuuqir07faZyTxrhj3iCqqOhAFe
qDmU9vqkiUIjAV6sNNKud78YdmPW0RBwtrWnO/LYNns+7FfoD8xGqoXDiBSH9L5O
v1sx8aD2hdCr7IzDWUVTJhTb9qrgd5YM+EpaJn6cdSd4yGolPXI0imS19QWU1JHZ
Iya6ExA3HWdjcldBcYeNbzKe1TVhvXwECOgPq+c/5keh4m9HRZaa0gaoZrecExoV
pUedP8aLCPFuwKgiwFNfx22rEk0o6vknLtfLgJmDmGFNaMn28STKDf+jwcZA20dc
XpNmMOFkMiHuKWZEI1F+DQfca9G36UNeO02OSfrhuwV/vj18STFxrBoNpKrFqtux
KF2AckM2HgiwsXcBWlTHATwz7dPEfw2vWpR0DdEUmIYHQvzm3Twkt3nnF1kNAcP6
AR0Louyt9QjQAH05LXnPgbHpknVf91W9iQ5MR3cn9hNpaez/7sNvSg+JjC92TSUK
KeTmSrP2jwjkz9Z+0UY85W7kghoQdRVUHeJ36zP9huoTiUFXBQsbIES9swARAQAB
tBpjdiBJbmZvIDxjdi1pbmZvQGF0b3MubmV0PokCIgQTAQoADAWCajP6TwUJBARs
qQAKCRD4geWI4b6n72ztD/9AMxX8xWRqJEU+b68yC0Vlt2TGa60lZLN5UcBEt5M1
hO03iKyzcwwWJzeoJILke0NPLXUGBrqMfGnL/IW2oo4A1pZ5e7m6au8kJwDgY86r
wDw8EHmp61jja31WhD4zypbkwmJFGh4/1a0PAXs1LB2rstUpfajVaj9njaKmE/lf
2SDgL0OsmRjDuVNQ+M/1RK9rn5mMUyj9+88KaZ/oEY+59pIw/cplAkf/NyjBZhrm
uDs+Mb9LcFvNxq2Yb3nDbtu8hlMY565Vos6R9PMgY+v0bVDGu+kV/oEuC4OwLlYp
vYp8/LBtMKElxEVmXCdscbWdqIEE6ZavIrO12ojmUkajD9hfeufiD1LDLr3LU3wP
0I7PzUt+c4oF6PaeMB1QBZ2pedBOy4d6X5tip+w8agSX+92o11N2D5wLNKYBUhwv
K54VteYL6Rnh4YNjOxwinhLF3sJB6OJRUcaqiheLfz7VAb4C/EZsONhFP6CLBCPu
MJFprYPd0Pp9U2+7MyA3tGSYNH4vKqBRGMWuNQAmZ6G9//0JuhCTNYClXrplsEux
SVsD6dWCCUnD4ADpAqzyHY9wwL5gnYEYNnNUpHup1Fc/ugNYXlq7FpRJln7BLEIy
k1F993hEPQHthCXUN2t6CP+8WOlC6Xrhg0pAFkNAfK5ZFnGxWlUIHCf9lkQeBHaA
HA==
=RqQT
—–END PGP PUBLIC KEY BLOCK—–

S/MIME:

—–BEGIN CERTIFICATE—–
MIIHHjCCBQagAwIBAgIMaWNDNT9f+bTwQxIhMA0GCSqGSIb3DQEBCwUAMFMxMzAxBgNVBAMMKkV2
aWRlbiBUcnVzdGVkUm9vdCBDbGllbnQgQ0EgZm9yIEF0b3MgMjAyMzEPMA0GA1UECgwGRXZpZGVu
MQswCQYDVQQGEwJERTAeFw0yNjA2MTgxMjA3NTNaFw0yODA4MDYxMjA3NTJaMHkxHzAdBgNVBGEM
Fk5UUkZSLUZSNzgwMi4zMjM2MjM2MDMxCzAJBgNVBAYTAkZSMQ0wCwYDVQQKDARBdG9zMRkwFwYD
VQQDDBBjdi1pbmZvQGF0b3MubmV0MR8wHQYJKoZIhvcNAQkBFhBjdi1pbmZvQGF0b3MubmV0MIIC
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAk3fXsSI0cBk1P8rIdjqfWYV39sJnxAwSdoGv
xijO1GtRRztOA6jrLYlTCYls1ajnOUCOjbuwcNCi2rdWOf77BTOWi8gcys0m9B5xEHwiV2O4vy8x
OIb8Ipngl7WtXgnX0sHQrD0AisuMB9wpoVfWkBGLrqoq9O32mck8a4Y94gqqjoQBXqg5lPb6pIlC
IwFerDTSrne/GHZj1tEQcLa1pzvy2DZ7PuxX6A/MRqqFw4gUh/S+Tr9bMfGg9oXQq+yMw1lFUyYU
2/aq4HeWDPhKWiZ+nHUneMhqJT1yNIpktfUFlNSR2SMmuhMQNx1nY3JXQXGHjW8yntU1Yb18BAjo
D6vnP+ZHoeJvR0WWmtIGqGa3nBMaFaVHnT/GiwjxbsCoIsBTX8dtqxJNKOr5Jy7Xy4CZg5hhTWjJ
9vEkyg3/o8HGQNtHXF6TZjDhZDIh7ilmRCNRfg0H3GvRt+lDXjtNjkn64bsFf749fEkxcawaDaSq
xarbsShdgHJDNh4IsLF3AVpUxwE8M+3TxH8Nr1qUdA3RFJiGB0L85t08JLd55xdZDQHD+gEdC6Ls
rfUI0AB9OS15z4Gx6ZJ1X/dVvYkOTEd3J/YTaWns/+7Db0oPiYwvdk0lCink5kqz9o8I5M/WftFG
POVu5IIaEHUVVB3id+sz/YbqE4lBVwULGyBEvbMCAwEAAaOCAcowggHGMAwGA1UdEwEB/wQCMAAw
HwYDVR0jBBgwFoAUYptPQUBQPI8idg06up0nJPGvavwwgYcGCCsGAQUFBwEBBHsweTBRBggrBgEF
BQcwAoZFaHR0cDovL3BraS5hdG9zLm5ldC9Eb3dubG9hZC9FdmlkZW5UcnVzdGVkUm9vdENsaWVu
dENBZm9yQXRvczIwMjMuY2VyMCQGCCsGAQUFBzABhhhodHRwOi8vcGtpLW9jc3AuYXRvcy5uZXQw
GwYDVR0RBBQwEoEQY3YtaW5mb0BhdG9zLm5ldDBNBgNVHSAERjBEMAkGB2eBDAEFAgMwNwYNKwYB
BAGwLQUBAQEBATAmMCQGCCsGAQUFBwIBFhhodHRwczovL3BraS5hdG9zLm5ldC9DUFMwEwYDVR0l
BAwwCgYIKwYBBQUHAwQwWwYDVR0fBFQwUjBQoE6gTIZKaHR0cDovL3BraS1jcmwuYXRvcy5uZXQv
Y3JsL0V2aWRlbl9UcnVzdGVkUm9vdF9DbGllbnRfQ0FfZm9yX0F0b3NfMjAyMy5jcmwwHQYDVR0O
BBYEFBvbueKouzwN4TmkG+2ZJ3liqQEmMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQsFAAOC
AgEAp0U1qfYrXpNcuyIQRlxwd3t9CX6dSGg89T3J1vYWZVDhKuoJKWgA4OfRt8Ttd9TtQ5MUmxro
bAyi24bKmiUJ55WcBmBspQJNSBcfCjwLa03yVzHAyacOb/wQw4CX5nFwOgknrCogNHfs3W8idyK2
PEf3RWv76yE8YeI4IQrshr81vwo0SyTdmIK4iAeOznK/SFLtMCY3ZcO+EeNgs/9/lv2q8klIFJcV
ewKJ/hxL0YHsLwZ7b5E5SMR+fuzdmV2kWEXm9/VMLgThjiJm5VRD2oMoTm9nUA+cDmC8eRps+DYi
4tR2nBhj8L65LQA7FGigKPQi6s+US2hW/syv4kIuTXrmdxKgTO5EgCIDU0FOvhL4JKx60Wx1Yj1J
uca5J46cbguKbRpArRZ1MDcUm4SkAZXbdt9zvomUXApzukOYBtIeSh/rWA4z0MpQwLQzLq1fF3Uc
rthHEZspLUOYCBuLDMhTWocYGdS8hW+hOV3z6FFmI6FaYNAV9t9eRDODA78//EK6SEsmFRzBQWh2
wLXQ9xaU10uwG+MCZ/QZ6TovOKX+VputwL8IPedsHPSt50kXqJEjzT21iztn3NjpXoEqxS2PKQKS
fhTOGx8BadLZNrvqRMoE0FMjP6MgCT0XAq/h0ljx/d6fuaBjzrfESgzDqRAj2OhLIW8Fpi0gIpua
C4Q=
—–END CERTIFICATE—–

_________________________________________________________________________________________________________