Vulnerability Reporting Policy
WISeKey takes security issues seriously and welcomes feedback from researchers and the security community in order to improve the security of its products and services.
We acknowledge the valuable role that independent security researchers play in internet security. As a result, we encourage responsible reporting of any vulnerabilities that may be found in our site or applications. We commit to working to verify and address any potential vulnerabilities that are reported to us.
Reporting a potential security vulnerability:
To send us a notification about a vulnerability or any other potential security risk, please privately share the details of the issue with WISeKey by sending an email to firstname.lastname@example.org
Please provide this information in the notification:
- A detailed description of the issue.
- Product/technology and versions affected.
- The tools and methods used to confirm the issue.
- Evidence (for example, screenshots, logs, terminal output and so on) showing the issue.
We request users encountering a new vulnerability to contact us privately as it is in the best interests of our customers that WISeKey has an opportunity to investigate and confirm a suspected vulnerability before it becomes public knowledge and exploited to harm our customers.
Classes of Vulnerabilities in WISeKey Products
Vulnerabilities that can be exploited by an unauthenticated attacker from the Internet or those that break the security controls of a locally installed product. The exploitation results in the complete compromise of confidentiality, integrity, and availability of user data and/or processing resources without user interaction.
Vulnerabilities that are not rated critical but whose exploitation results in the complete compromise of confidentiality and/or integrity of user data and/or processing resources through user assistance or by authenticated attackers.
Vulnerabilities where the ability to exploit is mitigated to a significant degree by configuration or difficulty of exploitation, but in certain deployment scenarios could still lead to the compromise of confidentiality, integrity, or availability of user data and/or processing resources.
All other issues that have a security impact. Vulnerabilities where exploitation is believed to be extremely difficult, or where successful exploitation would have minimal impact.
WISeKey’s Response Plan
- Notification: WISeKey receives private reports on vulnerabilities via its mailbox, from customers and from WISeKey field personnel. We also monitors public repositories of software security vulnerabilities to identify newly discovered vulnerabilities that may affect one or more of our products.
- Acknowledgement and Initial Analysis: After receipt of a report of a vulnerability, we’ll determine which products are affected and what the severity of the vulnerability is. WISeKey will provide feedback to the reporter of the vulnerability and work with them to fix the issue.
- Fix or Corrective Action: WISeKey will release of a fix for the reported vulnerability. The fix may be a new release of the product or a patch to be installed on existing systems.
- Customer Notification: If possible, we will notify its customers by a note published in our website or by a direct email message, for customers registered as users of the affected system.
WISeKey does not permit the following types of security research:
- Performing actions that may negatively affect WISeKey or its users (e.g. Spam, Brute Force, Denial of Service…)
- Accessing, or attempting to access, data or information that does not belong to you
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
- Conducting any kind of physical or electronic attack on WISeKey personnel, property or data centers
- Social engineering any WISeKey service desk, employee or contractor
- Violating any laws or breaching any agreements in order to discover vulnerabilities