EVIDEN PSIRT – Product Security Incident Response Team

Articles

Vulnerability Handling Policy

EVIDEN is committed to establishing, maintaining, and improving an Information Security Management System to mitigate the main risks it has identified relative to the security of its products and services. EVIDEN product development policy and practices prohibit any intentional behavior or product features which are designed to allow

Responsible Disclosure

The EVIDEN PSIRT will handle all reports regarding vulnerabilities potentially affecting EVIDEN products with high priority. Security related topics out of the PSIRT scope may be redirected to the relevant teams on a case-by-case basis. Any request related to product support and other unrelated topics will be silently ignored.

PSIRT Public Security Bulletins

Vulnerability Handling Policy

This policy is valid for CardOS and ePasslet Suite products.

EVIDEN is committed to establishing, maintaining, and improving an Information Security Management System to mitigate the main risks it has identified relative to the security of its products and services. EVIDEN product development policy and practices prohibit any intentional behavior or product features which are designed to allow unauthorized device or network access, exposure of sensitive device information, including personal data, or a bypass of security features or restrictions. EVIDEN makes its best efforts to deliver its products without known exploitable vulnerabilities. EVIDEN encourages all parties to report suspected vulnerabilities for immediate investigation. Internal and external reports of these vulnerabilities will be managed and disclosed under the below terms.

Title

Vulnerability Handling Policy

Summary

This policy is valid for CardOS and ePasslet Suite products.

EVIDEN is committed to establishing, maintaining, and improving an Information Security Management System to mitigate the main risks it has identified relative to the security of its products and services. EVIDEN product development policy and practices prohibit any intentional behavior or product features which are designed to allow unauthorized device or network access, exposure of sensitive device information, including personal data, or a bypass of security features or restrictions. EVIDEN makes its best efforts to deliver its products without known exploitable vulnerabilities. EVIDEN encourages all parties to report suspected vulnerabilities for immediate investigation. Internal and external reports of these vulnerabilities will be managed and disclosed under the below terms.

Details

1 Reporting vulnerability

EVIDEN implements a responsible disclosure process that encompasses reporting EVIDEN’s products’ vulnerabilities.

EVIDEN investigates all reports regardless of the software code version or product lifecycle status. If the product has reached its End-of-Life, EVIDEN can decide to stop any further investigation at any time. A reported vulnerability will be processed through Product Security Incident Response.

2 Coordinated Vulnerability Disclosure

Vulnerability Statements are used in the Coordinated Disclosure process to provide rapidly information on whether EVIDEN products are potentially affected.

For Common Criteria certified products there are obligations to first inform the certification body regarding any known vulnerability and to align with the certification body about further vulnerability handling.

EVIDEN Security teams manage information related to vulnerabilities according to the Traffic Light Protocol (TLP 2.0) rules together with the general confidentiality obligations of EVIDEN’s security policies.

Throughout the investigative process EVIDEN strives to work collaboratively with the source of the report (incident reporter) to confirm the nature of the vulnerability, gather required technical information, and ascertain appropriate remedial action.

When the initial investigation is complete, results SHOULD be discussed with the incident reporter, as well as a plan for resolution and public disclosure.

During any investigation, EVIDEN manages all sensitive information on a highly confidential basis. Internal distribution is limited to those individuals who have a legitimate need to know and can actively assist in the resolution. Similarly, EVIDEN asks incident reporters to maintain strict confidentiality until complete resolutions are available for customers and have been published by EVIDEN through the appropriate coordinated disclosure.

Figure A – TLP 2.0 definitions (source: [CISA-TLP])

3 Vulnerability management lifecycle

Product Security Incident Response (PSIR) is the set of processes and resources EVIDEN puts in place to address vulnerabilities and defects related to Product Security. EVIDEN leverages the PSIRT Services Framework [FIRST-PSIRT] to implement its PSIR capacity.

EVIDEN’s PSIRT is organized in two consecutive phases: Neutralization and Remediation.

4 Vulnerability Neutralization

The neutralization phase is the decision-making process during which the risk posed by an incident is evaluated. The Stakeholder-specific Vulnerability Categorization (SSVC) is a system for prioritizing actions during vulnerability management promoted by CERT-CC [UCM-SSVC]. EVIDEN follows the SSVC principles to determine its response priority. EVIDEN reserves the right to determine the type and degree of assistance it may offer in connection with any incident and to withdraw from any incident at any time, e.g., when the product has reached its End-of-Life.

EVIDEN may give priority consideration to security incidents that involve actual or potential threats to persons, property, or Critical Infrastructure Systems, as well as requests from law enforcement agencies or other incident response teams.

Figure C: Development Priority Outcomes (source: table 2 of [UCM-SSVC])

For clarity, there is no 1:1 mapping between CVSS scores and SSVC priority. A vulnerability rated at critical level under CVSS score can end with a Scheduled priority for its remediation.

5 Vulnerability Remediation

Before delivering a product firmware patch, some qualification tests SHALL be conducted by EVIDEN in conjunction with the customer. Delays are therefore mandatory to ensure an update does properly fix a vulnerability.

6 Vulnerability Communication Policy

Besides the remediation decision, the outcome of Neutralization can be a Vulnerability Statement and/or a Security Bulletin.

A Vulnerability Statement usually links public vulnerabilities with a list of EVIDEN products and provides basic status for each product: known not affected, known affected, under investigation, or fixed.

7 Reward Policy

With the agreement of the incident reporter, EVIDEN may acknowledge the reporter’s contribution during the public disclosure of the vulnerability. Upon explicit request from the incident reporter, EVIDEN will respect the incident reporter’s anonymity.

EVIDEN offers no reward for responsible reports of vulnerabilities on its products.

9 Security Bulletins

In a Security Bulletin, EVIDEN discloses the minimum amount of information to assess the impact of a vulnerability on an affected product and any potential steps needed to protect its environment. EVIDEN will try to suggest any solution, quick-fix, or workaround based on its knowledge, together with best-effort approach. “Currently no workaround available” is a valid statement in the context of the Neutralization phase. On a general basis, EVIDEN will not publicly disclose vulnerability details that could enable someone to craft an exploit before the end of the remediation phase. EVIDEN provides these security-related publications according to TLP rules.

10 References

[CERT-CC]	https://www.sei.cmu.edu/about/divisions/cert/index.cfm
[CISA-TLP]	https://www.cisa.gov/tlp
[FIRST-PSIRT]	https://www.first.org/standards/frameworks/psirts/psirt_services_framework_v1.1
[UCM-SSVC]	https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=653459

11 Disclaimer

Although EVIDEN makes effort to provide accurate and complete information, EVIDEN shall not be liable for technical or editorial errors contained in its Security Bulletins. The information is provided “as is” without warranty of any kind. To the extent permitted by the Law, neither EVIDEN nor its affiliates, subcontractors or suppliers will be liable for incidental damage, downtime cost, lost profits, damages relating to the procurement of substitute products or services, or damages for loss of data, or software restoration.

The information in this document is subject to change without notice. Product and company names mentioned herein may be trademarks of their respective owners.

Responsible Disclosure

The EVIDEN PSIRT will handle all reports regarding vulnerabilities potentially affecting EVIDEN products with high priority. Security related topics out of the PSIRT scope may be redirected to the relevant teams on a case-by-case basis. Any request related to product support and other unrelated topics will be silently ignored.

Title

Responsible Disclosure

Summary

The EVIDEN PSIRT will handle all reports regarding vulnerabilities potentially affecting EVIDEN products with high priority. Security related topics out of the PSIRT scope may be redirected to the relevant teams on a case-by-case basis. Any request related to product support and other unrelated topics will be silently ignored.

Details

Vulnerabilities in EVIDEN products, and/or any sensitive data breach should be directly reported to cv-info@atos.net.

The EVIDEN PSIRT will handle reports regarding vulnerabilities potentially affecting EVIDEN products according to its Vulnerability Handling Policy.

Information to provide:

To ease analysis and understanding of a vulnerability report, please make sure to provide the necessary information in your   report.

** Affected Product **

Make sure you provide the complete name of the product, and not only a brand such as CardOS.

** Vulnerability Summary **

Please summarize the identified vulnerability.

** Firmware / Software version **

If relevant, please provide the firmware / software version of the vulnerable product.

** Method / Protocol / URL used to access **

Describe the step-by-step procedure which can be used to evidence the vulnerability.

** Authenticated / unauthenticated status **

Don’t forget to describe the prerequisites of the procedure.

** Expected / Unexpected behavior **

Describe what you expected as a behavior, or what unexpected behavior you observed revealing the vulnerability.

** Contact **

Please provide contact information (Full Name, Phone number, etc.).

Your personal data will be processed according to  Bull’s Privacy Policy for the sole purpose of Product Security Incident Response.

Encryption

Should you want to encrypt your message, please use the attached PGP key.

—–BEGIN PGP PUBLIC KEY BLOCK—–
mDMEYs58VhYJKwYBBAHaRw8BAQdAJLRVzOP52y4DZyAi8xuDGMakKg0s6tzcsAar
jjIaPYi0H1BTSVJUIDxnbXBsLWJkcy1wc2lydEBhdG9zLm5ldD6ImgQTFgoAQhYh
BOiFQy3gymMnJ7XgxhRT1xirCg0XBQJiznxWAhsDBQkDw9PKBQsJCAcCAyICAQYV
CgkICwIEFgIDAQIeBwIXgAAKCRAUU9cYqwoNF1wwAP9nesNpo4grdAdQGUn4J/Zi
3qcWyeYMH66tdUzOHmFTpQEA5TE/vPNBXUk105/V2GO4wTiKbhLZ0C9jbaf+IeFQ
WQe4OARiznxWEgorBgEEAZdVAQUBAQdAAfGg7C8U4yri1y0K5pKWVBDj2IIpa8r3
P34WCOKXFXoDAQgHiH4EGBYKACYWIQTohUMt4MpjJye14MYUU9cYqwoNFwUCYs58
VgIbDAUJA8PTygAKCRAUU9cYqwoNF6qyAP9SYcGmrRPSvAYVtDDuKbLYmVPftzut
TIOLSLKzT+YSvgD/S1CBlyX9cclKpxwH24Ncbh+6eZ2ua2TyU5U+/QIIYgk=
=zhcq
—–END PGP PUBLIC KEY BLOCK—–