back
esr_

~/esr_security

~/security

Security

The joint ESR Labs Security and Product Security Incident Response Team (PSIRT)investigate all reports of security vulnerabilities and incidents affecting ESR Labs products and services. If you believe you have found a security issue, please contact ESR Labs Security Team.

The identity of the reporting individual or organisation will be treated confidentially as long the reported material is not subject to civil or criminal charges.

To contact us, you may write an email to: security@esrlabs.com ESR Labs Security Team uses this PGP key to sign security notifications and encourages other to use this key, when sending sensitive information, such as vulnerabilities that may be extremely sensitive, to ESR Labs’ Security Team.

Please include the following formation:

  • The product and version(s) affected
  • Detailed description of the vulnerability

Key

Created: 2020-02-12
Expires: 2024-01-25

Fingerprint

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBF5D1joBDACqAG/CKiAzpIv/nGffMHXPmVpfyio7IUIlpzHOUESk2Z5IOKAF
TZnIboZPxqvkt1DpC0d5uKuAdtEtKEJEEoo0LnD3zv+IU+W3uZGWobm5PwLOhYLS
Qj1UgNoQZuXCBEK9mjm7IQ15KkRnBlDRpArwH1YlL84YkN5eT9OUp1PYPcZdhsk+
NWIsucMLsr1C5pQ2iXE0iNy2I759gE8TICGleMsABjoZ4okHfQ1X6h8ULMa8jMj0
GLxk+Df5JrD2nMJAqRoiQ1RzxgCpIvwaFwP0D4Dmnfa00jutYVIlrUIpEC+W1Y1G
5jK1zhADRoy3iSaJxlru88uXRUynjlZhXKEx3jxP0OQ2rwFVjXbVsxGECA7DGJuI
Jn70hXqjlGkyq+wzVaQbiA29yUbL1e9kjUF28E3E84LkX+yXqhPXLYrFXDY5vKNo
sFTxlD2zOHDFZXArj3qAvMQlzElapvZrgMb6+KjuRNk0EFnSvJwatZ/uNLcU2VTe
SbtVr/qL9p+nLCcAEQEAAbQtRVNSIExhYnMgU2VjdXJpdHkgVGVhbSA8c2VjdXJp
dHlAZXNybGFicy5jb20+iQHUBBMBCgA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B
AheAFiEE91HEDTtraBJlTDS5n4KhEcG2VfsFAmHv+dkFCQduip8ACgkQn4KhEcG2
Vfse4wv/aqRl4ZDfX95jNTTby/gCv0OjUYPF9ENkNMc5LsW9sZ4u+1q23feeMs8k
tDrTAM3tlDf/LnJXX0L1ZdIPRTfzIsNdP12jem2Ltt3Npv+6tDyq/fdwc94V1QT4
w6DZ90V5UKbwJVGdT3U+/Cd03P/kccdNt0/Ddp4UEDqxU3h7PDw8hIjOW5J4Isyw
PtScF0lUVU839shSLYjNHYJZn2Kikr8thFzCqOeinMKrpiNSlACBXBDDbzqqOCaS
IoixPVkHmaiYiAUDhQSTZcVXWqZIURyA+K7Ka1rDnWL0+EVqZMTdSeNDClQi//Hs
cs3fGsYfMw3gckNQNOPgysJHkd+mR6rACb/GL8oA6qiJR0ONfR+3kp2jIYM7D3cp
S3DSl9g8wVlPmSQ217Rpv99BaZX04NdXKx67dTBrRf9URcssdocXWK7sbtVcZPkM
6yqCBMoj+BVxgjKohWwjFb7qQi5PHXcYSVyjdMHmYSPWUgJ0BtRNi/ZsSSjkm/ra
95e6eN1EuQGNBF5D1joBDAChH1Ad4hYVDHdgWzsZvo6CvQtunGgItLMjTQQ35jBj
RqDeOj96R+eNjDj6UVNrs/Y+VEPOVt28ede5fSjY4EXdH88X/6smoDdqqddSEapa
9kiE1XQT9Sfgf0u8sKXWYkOhWSF1KYpM25iSwgTa2/rnfKUF9mC+b9YYkVwSmiUF
WL9M8dfg1xQVroo9b6OkLzvAqiwr7gBwA7GW7le38GeJc+HCGeA/lqtjoSiu7uet
wjUsUr0i3DD7NzM5BETMJqn8icxmBaxz2PTL8QU/Wa1G+XdiYH+2aV8PYDUfZGJh
oywkW5P7LaJ7lPsEDiG8y07zMKzlahdX5OTotdsUcDjV/H9llxFBs9AeQJ4twDih
9GjMlaaTPjEb5pg1sOWrisZV/klMOvrbuW+3TpMR5RX66Lk0pzzbqJracTYRpHM2
TT/NbLrqdWAqe+BVqV4Xtu4zYgVR+10I/Ug7XDr+0DjeEtWw1+XDem2nWSteCBbi
lDQxmavpNYSKQcbmlGwoSmEAEQEAAYkBvAQYAQoAJgIbDBYhBPdRxA07a2gSZUw0
uZ+CoRHBtlX7BQJh7/ogBQkHbormAAoJEJ+CoRHBtlX7aAkL/3WfmamEh0Z+Ic/m
rXRM26j4Zifc2Hw0qaE9sKfhdVmp7jBfoO5T1QaBS4FQ7nCj7SZRrlfqVEJb67n+
H55lPzl/oiRxJIN8OCszEHY0t3BanZ9VAOsb4UuVg5Fl2R4I4ASHDjHK2QA1Tlfm
VAggzMRHWGhzs5uhPSibSjb/snfQGZYlw2XWUva26Xf+T290+uQQp23CVsY4FFna
6YVwlGz71I25H9xK+qG6TiM/bJ7WR5FPr9mH7XzxhuH+J0VD0xFBa/tyvS/Z0JX+
1WvuIdZBwKuU+ongbiM/eULm5jHWxr+kxGsl6WUbs6eC09NrZEkMnwHkZAFBWwP1
Dy8qGZWjlTidRgTqyKU4IBuQiS3B2XKw36zX9Hbx5Hke0jYv4ipWZOKaSwSlv4ST
b/r0X0ZOesOLkNGiHjyOdfGO3Yua5eDZLNpIJbNk9FpqbU2FRv2+QdXLXFGdCanB
ddxbPrKpq1fQ58wHRJnoXaOfjdP3RBRKMfmV8ZJP6GpyZGMzPA==
=RQ4+
-----END PGP PUBLIC KEY BLOCK-----

Responsible Disclosure

ESR Labs is committed to working with the reporter of a vulnerability to establish what can be disclosed by the reporter. As the software from ESR Labs is primarily used in the embedded field, updating the software may not always be possible in a timely manner, or even possible at all.

Due to this, a responsible disclosure will often need a much larger timeframe or a limitation in the information included in the disclosure. This is needed in order to allow ESR Labs’ customers to migrate or mitigate the vulnerability before damage can be done to ESR Labs’ customers systems or products by the disclosure of the reporter.

Vulnerability Handling Process

Security vulnerabilities in ESR Labs products are managed through the following process:

Reporting

The reporter receives an acknowledgment and updates throughout the handling process.

Analysis

ESR Labs confirms the potential vulnerability, assesses the risk, determines the impact, and assigns a priority.

Triage

When feasible, ESR Labs develops mitigation strategies and fixes for the reported security vulnerability.

Communication

In most cases, ESR Labs will communicate directly to the affected customers.

Information Security Policy

1
Importance of information processing
for the company

Information processing is of primordial importance for operational tasks and collaboration with customers. Essential strategic and operative functions and tasks are substantially supported by Information technology (IT). It must be possible to compensate for IT system outages or disturbances rapidly. It is also unacceptable for business in subdivisions to be impacted or fully impeded.

The core competence of ESR Labs is the development of innovative software products. As such, the protection of information and systems from tampering or unauthorized access is of vital importance.

2
Overarching objectives

The availability of the data and IT systems in all technical and commercial domains will be secured such that the duration of foreseeable downtime is manageable. Malfunctions and irregularities in data and IT systems are acceptable only in exceptional circumstances and with negligible scope (integrity). The requirement for confidentiality is of an average, legally-conform level. The confidentiality, integrity and availability of data for software development and for external customer interfaces must meet the maximum level of requirements.

The scale of standard security measures must be commercially proportionate to the value of the data and IT systems being protected.

Incidents having significant financial implications must be prevented. To limit the financial impact of such incidents, certain associated risks will be covered by a commercial liability and/or electronics insurance policy.

All employees obey the relevant laws, including: The Criminal Code (Germany), The Works Constitution Act (Germany), Information Security Law and contractual rules. Negative financial and immaterial consequences for the company or its employees through abuse of the law must be avoided. The relevant laws are readily available to employees in an internally-accessible area of the Information Security Management System (ISMS).

The company management and its employees are aware of the responsibility involved in information and data handling: furthermore, with the introduction of the ISMS the adherence to the Security Policy is mandatory. Compliance will be enforced by the Management Board.

3
Detailed objectives

Delayed or erroneous management decisions may have far-reaching consequences. It is therefore of critical importance that up-to-date operationally relevant data is readily available. The availability and integrity of this information is considered to have a high security level.

To conform with Data Protection laws and to protect the interests of employees, the confidentiality of employee information must be guaranteed. The data and IT systems used by the Human Resources Department are therefore subject to high confidentiality measures. Customer and business partner data will be equally protected.

Communication with customers and access to the customer database is of primary importance for the sales team. Operational business must not be delayed or jeopardized. Failure to comply with contractual deadlines may have far-reaching negative consequences. The lack of availability of IT systems or data in particular, and malfunctions in general may lead to a loss of revenue. As such, the maintenance of communication and access to accurate data for salespeople has a high security level.

Software-development data has extremely high confidentiality requirements. Competitive advantage may be lost through the loss or theft of such data. Manipulation will be prevented and confidentiality protected through technical measures and the high awareness of employees.

The use of the internet for information-gathering and communication purposes is standard. Email replaces or complements other forms of office communication. The risks associated with internet use will be minimized using appropriate measures.

4
Information security
management

A security organization has been created to achieve and maintain the information security objectives.

The security organization is comprised of the Chief Information Security Officer (CISO) and the Information Technology Security Team (IT Security Team).

The Chief Information Security Officer reports directly to the Management. The IT Security Team is responsible for the agreement, planning, implementation and checking of important decisions and tasks.

Time and funds will be made available to the Information Security Officer, the IT Security Team, and the IT Administrators to participate in training courses and keep themselves up-to-date, and to achieve the Information Security objectives set by the Management.

The work of the Information Security Officer, the IT Security Team and the IT Administrators will be fully supported by Project Managers and the IT Users.

The Chief Information Security Officer and the IT Security Team shall be involved in projects in the early stages such that security-relevant aspects may be considered in the initializing phase. Furthermore, they shall be made aware of security-relevant events and incidents.

IT Users must adhere to the instructions of the Chief Information Security Officer regarding security-relevant queries.

5
Security measures

A responsible person will be named for all Processes, IT applications and IT systems and will determine the relevant protection level and access rights. This responsibility can also be undertaken by the Chief Information Security Officer or the IT Security Team.

A substitute must be named for all responsible functions. The ability of substitutes to perform their respective tasks must be assured through knowledge sharing and sufficient documentation.

Buildings and rooms are protected by adequate access controls. Access to IT systems will be protected through the use of appropriate access controls while access to data will be protected through a restrictive authorization. Furthermore, mobile devices such as laptop computers will be encrypted as standard. Additionally, IT users are obliged to encrypt company mobile phones where possible.

Antivirus programs are used in all IT systems. Internet access is secured by an appropriate Firewall (UTM Solution). Security programs will be configured and administrated in such a way as to prevent manipulation and offer effective protection. To safeguard the security level and detect problems the IT Systems will be regularly maintained.

The security awareness of IT Users further supports the security measures, vulnerabilities are reported to the relevant authority.

Loss of data cannot be fully excluded. Extensive data back-ups will ensure that IT-based operations can be quickly restored in the event of data loss or damage. Information will be consistently identified and stored such that it can be found quickly.

IT users participate in regular training sessions on the correct use of IT services and the associated security measures. Management supports needs-oriented training and development. Electronic ISMS Documentation and internal newsletters provide an ample source of information.

6
Continuous improvement
of security

The accuracy and relevance of the Information Security Management System is regularly checked. Furthermore, regular checks will be made to ensure that security measures are implementable and of an appropriate awareness level amongst relevant employees.

Management supports the continuous improvement of the security level. Employees are required to communicate improvement potential and weaknesses to the relevant authority.

The desired level of security and data protection will be achieved through continuous review of the rules and their observance. Divergence will be analyzed with the goal of improving security and maintaining IT Security technology to the latest standards.

7
Entry into force

The aforementioned Information Security Policy is effective immediately.

We use cookies to enable website functionality, understand the performance of our site and serve relevant content to you. More information: Privacy Policy and Cookie Policy.