The joint ESR Labs Security and Product Security Incident Response Team (PSIRT)investigate all reports of security vulnerabilities and incidents affecting ESR Labs products and services. If you believe you have found a security issue, please contact ESR Labs Security Team.
The identity of the reporting individual or organisation will be treated confidentially as long the reported material is not subject to civil or criminal charges.
To contact us, you may write an email to: firstname.lastname@example.org ESR Labs Security Team uses this PGP key to sign security notifications and encourages other to use this key, when sending sensitive information, such as vulnerabilities that may be extremely sensitive, to ESR Labs’ Security Team.
Please include the following formation:
- The product and version(s) affected
- Detailed description of the vulnerability
Fingerprint CA4F FB9F B42A 4355 14A7 1FCE 9F3F 7440 7F88 BBC2
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----
ESR Labs is committed to working with the reporter of a vulnerability to establish what can be disclosed by the reporter. As the software from ESR Labs is primarily used in the embedded field, updating the software may not always be possible in a timely manner, or even possible at all.
Due to this, a responsible disclosure will often need a much larger timeframe or a limitation in the information included in the disclosure. This is needed in order to allow ESR Labs’ customers to migrate or mitigate the vulnerability before damage can be done to ESR Labs’ customers systems or products by the disclosure of the reporter.
Vulnerability Handling Process
Security vulnerabilities in ESR Labs products are managed through the following process:
The reporter receives an acknowledgment and updates throughout the handling process.
ESR Labs confirms the potential vulnerability, assesses the risk, determines the impact, and assigns a priority.
When feasible, ESR Labs develops mitigation strategies and fixes for the reported security vulnerability.
In most cases, ESR Labs will communicate directly to the affected customers.
Information Security Policy
Importance of information processing
for the company
Information processing is of primordial importance for operational tasks and collaboration with customers. Essential strategic and operative functions and tasks are substantially supported by Information technology (IT). It must be possible to compensate for IT system outages or disturbances rapidly. It is also unacceptable for business in subdivisions to be impacted or fully impeded.
The core competence of ESR Labs is the development of innovative software products. As such, the protection of information and systems from tampering or unauthorized access is of vital importance.
The availability of the data and IT systems in all technical and commercial domains will be secured such that the duration of foreseeable downtime is manageable. Malfunctions and irregularities in data and IT systems are acceptable only in exceptional circumstances and with negligible scope (integrity). The requirement for confidentiality is of an average, legally-conform level. The confidentiality, integrity and availability of data for software development and for external customer interfaces must meet the maximum level of requirements.
The scale of standard security measures must be commercially proportionate to the value of the data and IT systems being protected.
Incidents having significant financial implications must be prevented. To limit the financial impact of such incidents, certain associated risks will be covered by a commercial liability and/or electronics insurance policy.
All employees obey the relevant laws, including: The Criminal Code (Germany), The Works Constitution Act (Germany), Information Security Law and contractual rules. Negative financial and immaterial consequences for the company or its employees through abuse of the law must be avoided. The relevant laws are readily available to employees in an internally-accessible area of the Information Security Management System (ISMS).
The company management and its employees are aware of the responsibility involved in information and data handling: furthermore, with the introduction of the ISMS the adherence to the Security Policy is mandatory. Compliance will be enforced by the Management Board.
Delayed or erroneous management decisions may have far-reaching consequences. It is therefore of critical importance that up-to-date operationally relevant data is readily available. The availability and integrity of this information is considered to have a high security level.
To conform with Data Protection laws and to protect the interests of employees, the confidentiality of employee information must be guaranteed. The data and IT systems used by the Human Resources Department are therefore subject to high confidentiality measures. Customer and business partner data will be equally protected.
Communication with customers and access to the customer database is of primary importance for the sales team. Operational business must not be delayed or jeopardized. Failure to comply with contractual deadlines may have far-reaching negative consequences. The lack of availability of IT systems or data in particular, and malfunctions in general may lead to a loss of revenue. As such, the maintenance of communication and access to accurate data for salespeople has a high security level.
Software-development data has extremely high confidentiality requirements. Competitive advantage may be lost through the loss or theft of such data. Manipulation will be prevented and confidentiality protected through technical measures and the high awareness of employees.
The use of the internet for information-gathering and communication purposes is standard. Email replaces or complements other forms of office communication. The risks associated with internet use will be minimized using appropriate measures.
A security organization has been created to achieve and maintain the information security objectives.
The security organization is comprised of the Chief Information Security Officer (CISO) and the Information Technology Security Team (IT Security Team).
The Chief Information Security Officer reports directly to the Management. The IT Security Team is responsible for the agreement, planning, implementation and checking of important decisions and tasks.
Time and funds will be made available to the Information Security Officer, the IT Security Team, and the IT Administrators to participate in training courses and keep themselves up-to-date, and to achieve the Information Security objectives set by the Management.
The work of the Information Security Officer, the IT Security Team and the IT Administrators will be fully supported by Project Managers and the IT Users.
The Chief Information Security Officer and the IT Security Team shall be involved in projects in the early stages such that security-relevant aspects may be considered in the initializing phase. Furthermore, they shall be made aware of security-relevant events and incidents.
IT Users must adhere to the instructions of the Chief Information Security Officer regarding security-relevant queries.
A responsible person will be named for all Processes, IT applications and IT systems and will determine the relevant protection level and access rights. This responsibility can also be undertaken by the Chief Information Security Officer or the IT Security Team.
A substitute must be named for all responsible functions. The ability of substitutes to perform their respective tasks must be assured through knowledge sharing and sufficient documentation.
Buildings and rooms are protected by adequate access controls. Access to IT systems will be protected through the use of appropriate access controls while access to data will be protected through a restrictive authorization. Furthermore, mobile devices such as laptop computers will be encrypted as standard. Additionally, IT users are obliged to encrypt company mobile phones where possible.
Antivirus programs are used in all IT systems. Internet access is secured by an appropriate Firewall (UTM Solution). Security programs will be configured and administrated in such a way as to prevent manipulation and offer effective protection. To safeguard the security level and detect problems the IT Systems will be regularly maintained.
The security awareness of IT Users further supports the security measures, vulnerabilities are reported to the relevant authority.
Loss of data cannot be fully excluded. Extensive data back-ups will ensure that IT-based operations can be quickly restored in the event of data loss or damage. Information will be consistently identified and stored such that it can be found quickly.
IT users participate in regular training sessions on the correct use of IT services and the associated security measures. Management supports needs-oriented training and development. Electronic ISMS Documentation and internal newsletters provide an ample source of information.
The accuracy and relevance of the Information Security Management System is regularly checked. Furthermore, regular checks will be made to ensure that security measures are implementable and of an appropriate awareness level amongst relevant employees.
Management supports the continuous improvement of the security level. Employees are required to communicate improvement potential and weaknesses to the relevant authority.
The desired level of security and data protection will be achieved through continuous review of the rules and their observance. Divergence will be analyzed with the goal of improving security and maintaining IT Security technology to the latest standards.
Entry into force
The aforementioned Information Security Policy is effective immediately.