Security
The joint ESR Labs Security and Product Security Incident Response Team (PSIRT)investigate all reports of security vulnerabilities and incidents affecting ESR Labs products and services. If you believe you have found a security issue, please contact ESR Labs Security Team.
The identity of the reporting individual or organisation will be treated confidentially as long the reported material is not subject to civil or criminal charges.
To contact us, you may write an email to: security@esrlabs.com ESR Labs Security Team uses this PGP key to sign security notifications and encourages other to use this key, when sending sensitive information, such as vulnerabilities that may be extremely sensitive, to ESR Labs’ Security Team.
Please include the following formation:
- The product and version(s) affected
- Detailed description of the vulnerability
Key
Created: 2023-01-03
Expires: 2024-01-10
Key-ID 9F3F74407F88BBC2
Fingerprint CA4F FB9F B42A 4355 14A7 1FCE 9F3F 7440 7F88 BBC2
Fingerprint
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGO0BfkBDACX3ftHLxA+XdeY1ywBm5fZSVc5tLt+UNUVO8a/re3lQpNjkKcj
RIRcpc1La+2wHcdy8ozhfs76Z0Rjw86fLIz+iw2wo2j9QWnZAQPyOEbP7lu/KSgB
REKFggB5jmWtgNgsRyU2IZPyBapcYvmvO2zX68d1XROJ+01TTL8tTMKlR7H4IuD1
3ODk2FqWLViKdRqvJtBjqSxsthAWKHcqyWBrgb4JqeL53XLh/dRydE0qQqEbvDYT
X/h4kevf7V9hKtxplJApQ1hxdiGEC1VfpGFjQbuiOo9TaKG0ZBZDLAX6BqbPIYKk
MB1ByHIB4+Pf3IMA3md4wut+I3bseRnK2wKSEXNo1VuD36+OphkkKabQpxvnQuuo
q4rnf4SLfHcccvxuGOimtF6SnqOOkp/LYqIsjLVFw6UhjpX85rYcabVzuegF8zWs
g0tESZ6khpK3Rt0KkepSftjHyrxy/5wTJTrfPhD74hlrZmyNoWQDByWY80pfBR3h
kfl9uxR4dTLKBO8AEQEAAbQtRVNSIExhYnMgU2VjdXJpdHkgVGVhbSA8c2VjdXJp
dHlAZXNybGFicy5jb20+iQHUBBMBCAA+FiEEyk/7n7QqQ1UUpx/Onz90QH+Iu8IF
AmO0BfkCGwMFCQHqbG4FCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQnz90QH+I
u8L9mgv/QHVEpDig/XXmJL+Gh9lGNp2DTE6fmrXZ2XBC06x0u+7MPghnilOtOEad
HYJIEfoh7B6vriIWggs2ci2m+mioeBx6+UtVTn5ON78yxLXxSczPsMgxWyFjXQ7q
PUcaX3hMxcuBVOrGGB+aq6qHTMC0IpW0cPJon5xeB9E6LelJksC0xdmn2vtXThkb
zNfxWMyxya/ACMj6V+cC4lBafmAv1BD7HqnceDf81PCfs4t6pLQOkT1jHY+zBxW/
2sFChRVrkby5DHznJmSjBtgKpJQ72XyQyH2F1gCeuFRQwVehe+brUgGQJuQdU6aG
0stHujAc0M6TLJjQUDH6Jd4X0+V89Rh3ETRn/YWTHK6kdm7HGZuNntMmNJqaCTTW
cBhz62Hr+EJga1F7kRIRg5iELpchmUwJM4uxzbz44UofJgKS9oZEIj5s8uRaAKxL
wLJdZi/m3nVMweJybmp0WlmkSV83snPFdsZnghmgxY0Ns8VM5kZT1nK4WMz8gGQR
unwmuFETuQGNBGO0BfkBDAC2OvPWcqVhALkEPwoBO2z5l+Sa4b9uZqn4p/t0wud5
kYYUpM2pYtLPUuuK8P7XAKs+yGiA8KG8x+umXjgBPz1zl9JxbJEeigoxlyq1KA+2
ECo/hb9FTmObSLlT9az88VJjuYdUzI4LQrO1LI1Y6xhCFmB6hIduLYdCfqZp28jd
zuXzAhzkixzhsJP+AlMt4N7oPOJUaALs79iu2HbO4JYD0heza/aLWGdcnu1xNWt3
RGp7n/7Mlg6IaXfbNLNGqHggwklPtOxe3UCuCY4UC/Ec2pkpI++JAsM8hqWnSQ6m
T2NumHcBivMTJkNJxKSz+YC9Jk3jKGdSDTyjC1d6J5bCaHU4xaKbcK5t4UedESTu
9QgfBo06H47dg87lQ09JwcO1iaJMUUZ53h55Ao2jukpBiSp47hforaMX6h5yG2r9
DCQzAvjWejRtfiLu5r+f+U/beytqRJiUGDw0KU6edRXkVy4ip1SLBkcrC5tCc3rf
+/FQ38qKYlPz3Tngk9xf/8cAEQEAAYkBvAQYAQgAJhYhBMpP+5+0KkNVFKcfzp8/
dEB/iLvCBQJjtAX5AhsMBQkB6mxuAAoJEJ8/dEB/iLvCLIYL/j0EVOKC4ByKiS95
jKHlT45PCmNuroL9ouWN6U3zWU0wxqtDYpXmED69sHPPiMExs24lamP8+J70lnJf
uZ3mluKdL0CkfDeswnsgzI0QMDq85cNWXo9mGdj1TIpkJZtRqI/zyQ3jlQmYorSN
/xjy4gy/IUUHTwcO11IUP/VnpqEcxUZqE3VfIiSoU3NZXAjZrLDmAsg39m6OfLE5
W6PlxRV7p7pYEaBc55DzjFzC61BQb0eAQR+IwaYNChXFtQW2/qouIhridbyTMVAt
rOxKoUuMLAf3Mhd1EoioUQG/hBYwMBcUOhGPYJxSgECXPFuMgRLe9HG68r72DNry
0yt2/IXdUsRKur9uVw+7z8eKkPbhsL0tobaNqSIZkda5zLiBuNZomPInUUi6+22L
QPMjC6Rs/hljcTb8i++OMi/n8DfAYQYEeTnrRCY0HUV/5cNgwLlyTL17Q3WveLZ/
hfgsFpEJLCrCgZki8d3y7W8UXdCMXIotiI3T81wOizNSu9sQ4A==
=973u
-----END PGP PUBLIC KEY BLOCK-----
Responsible Disclosure
ESR Labs is committed to working with the reporter of a vulnerability to establish what can be disclosed by the reporter. As the software from ESR Labs is primarily used in the embedded field, updating the software may not always be possible in a timely manner, or even possible at all.
Due to this, a responsible disclosure will often need a much larger timeframe or a limitation in the information included in the disclosure. This is needed in order to allow ESR Labs’ customers to migrate or mitigate the vulnerability before damage can be done to ESR Labs’ customers systems or products by the disclosure of the reporter.
Vulnerability Handling Process
Security vulnerabilities in ESR Labs products are managed through the following process:
Reporting
The reporter receives an acknowledgment and updates throughout the handling process.
Analysis
ESR Labs confirms the potential vulnerability, assesses the risk, determines the impact, and assigns a priority.
Triage
When feasible, ESR Labs develops mitigation strategies and fixes for the reported security vulnerability.
Communication
In most cases, ESR Labs will communicate directly to the affected customers.
Information Security Policy
1
Importance of information processing
for the company
Information processing is of primordial importance for operational tasks and collaboration with customers. Essential strategic and operative functions and tasks are substantially supported by Information technology (IT). It must be possible to compensate for IT system outages or disturbances rapidly. It is also unacceptable for business in subdivisions to be impacted or fully impeded.
The core competence of ESR Labs is the development of innovative software products. As such, the protection of information and systems from tampering or unauthorized access is of vital importance.
2
Overarching objectives
The availability of the data and IT systems in all technical and commercial domains will be secured such that the duration of foreseeable downtime is manageable. Malfunctions and irregularities in data and IT systems are acceptable only in exceptional circumstances and with negligible scope (integrity). The requirement for confidentiality is of an average, legally-conform level. The confidentiality, integrity and availability of data for software development and for external customer interfaces must meet the maximum level of requirements.
The scale of standard security measures must be commercially proportionate to the value of the data and IT systems being protected.
Incidents having significant financial implications must be prevented. To limit the financial impact of such incidents, certain associated risks will be covered by a commercial liability and/or electronics insurance policy.
All employees obey the relevant laws, including: The Criminal Code (Germany), The Works Constitution Act (Germany), Information Security Law and contractual rules. Negative financial and immaterial consequences for the company or its employees through abuse of the law must be avoided. The relevant laws are readily available to employees in an internally-accessible area of the Information Security Management System (ISMS).
The company management and its employees are aware of the responsibility involved in information and data handling: furthermore, with the introduction of the ISMS the adherence to the Security Policy is mandatory. Compliance will be enforced by the Management Board.
3
Detailed objectives
Delayed or erroneous management decisions may have far-reaching consequences. It is therefore of critical importance that up-to-date operationally relevant data is readily available. The availability and integrity of this information is considered to have a high security level.
To conform with Data Protection laws and to protect the interests of employees, the confidentiality of employee information must be guaranteed. The data and IT systems used by the Human Resources Department are therefore subject to high confidentiality measures. Customer and business partner data will be equally protected.
Communication with customers and access to the customer database is of primary importance for the sales team. Operational business must not be delayed or jeopardized. Failure to comply with contractual deadlines may have far-reaching negative consequences. The lack of availability of IT systems or data in particular, and malfunctions in general may lead to a loss of revenue. As such, the maintenance of communication and access to accurate data for salespeople has a high security level.
Software-development data has extremely high confidentiality requirements. Competitive advantage may be lost through the loss or theft of such data. Manipulation will be prevented and confidentiality protected through technical measures and the high awareness of employees.
The use of the internet for information-gathering and communication purposes is standard. Email replaces or complements other forms of office communication. The risks associated with internet use will be minimized using appropriate measures.
4
Information security
management
A security organization has been created to achieve and maintain the information security objectives.
The security organization is comprised of the Chief Information Security Officer (CISO) and the Information Technology Security Team (IT Security Team).
The Chief Information Security Officer reports directly to the Management. The IT Security Team is responsible for the agreement, planning, implementation and checking of important decisions and tasks.
Time and funds will be made available to the Information Security Officer, the IT Security Team, and the IT Administrators to participate in training courses and keep themselves up-to-date, and to achieve the Information Security objectives set by the Management.
The work of the Information Security Officer, the IT Security Team and the IT Administrators will be fully supported by Project Managers and the IT Users.
The Chief Information Security Officer and the IT Security Team shall be involved in projects in the early stages such that security-relevant aspects may be considered in the initializing phase. Furthermore, they shall be made aware of security-relevant events and incidents.
IT Users must adhere to the instructions of the Chief Information Security Officer regarding security-relevant queries.
5
Security measures
A responsible person will be named for all Processes, IT applications and IT systems and will determine the relevant protection level and access rights. This responsibility can also be undertaken by the Chief Information Security Officer or the IT Security Team.
A substitute must be named for all responsible functions. The ability of substitutes to perform their respective tasks must be assured through knowledge sharing and sufficient documentation.
Buildings and rooms are protected by adequate access controls. Access to IT systems will be protected through the use of appropriate access controls while access to data will be protected through a restrictive authorization. Furthermore, mobile devices such as laptop computers will be encrypted as standard. Additionally, IT users are obliged to encrypt company mobile phones where possible.
Antivirus programs are used in all IT systems. Internet access is secured by an appropriate Firewall (UTM Solution). Security programs will be configured and administrated in such a way as to prevent manipulation and offer effective protection. To safeguard the security level and detect problems the IT Systems will be regularly maintained.
The security awareness of IT Users further supports the security measures, vulnerabilities are reported to the relevant authority.
Loss of data cannot be fully excluded. Extensive data back-ups will ensure that IT-based operations can be quickly restored in the event of data loss or damage. Information will be consistently identified and stored such that it can be found quickly.
IT users participate in regular training sessions on the correct use of IT services and the associated security measures. Management supports needs-oriented training and development. Electronic ISMS Documentation and internal newsletters provide an ample source of information.
6
Continuous improvement
of security
The accuracy and relevance of the Information Security Management System is regularly checked. Furthermore, regular checks will be made to ensure that security measures are implementable and of an appropriate awareness level amongst relevant employees.
Management supports the continuous improvement of the security level. Employees are required to communicate improvement potential and weaknesses to the relevant authority.
The desired level of security and data protection will be achieved through continuous review of the rules and their observance. Divergence will be analyzed with the goal of improving security and maintaining IT Security technology to the latest standards.
7
Entry into force
The aforementioned Information Security Policy is effective immediately.