Product Security Incident Response Team (PSIRT) 

 
Contact PSIRT
Introduction

SEALSQ Product Security Commitment

At SEALSQ, product security is a core design principle.
 
SEALSQ’s Product Security Incident Response Team (PSIRT) is committed to promptly identifying, assessing, and addressing security vulnerabilities affecting SEALSQ products, while providing clear guidance on impact, severity, and mitigation to customers and stakeholders.

Scope

1- Scope of the SEALSQ PSIRT

The SEALSQ PSIRT covers security vulnerabilities affecting certified products and other SEALSQ hardware, software, and security documentation where relevant.

Picto SEAL SQ - Tamper Resistant

Secure semiconductors and secure elements

Security vulnerabilities affecting certified and non-certified secure hardware components.

Picto SEAL SQ - Plateforme Saas PKI managée (INeS)

Embedded firmware and cryptographic components

Vulnerabilities impacting embedded software, cryptographic implementations, and security-critical firmware.

Picto SEAL SQ - Shorter validity of identities

PKI, trust services, and software platforms

Security issues related to PKI services, certificate management, trust infrastructures, and supporting software.

Picto SEAL SQ - Brown-field friendly

Reference designs and security-critical integrations

Security flaws affecting reference designs, security guidance, and validated integration architectures.

Vulnerability-Reporting-PSIRT-1

2- How to report a potential security vulnerability

SEALSQ encourages responsible disclosure of potential security vulnerabilities. All reports submitted to the PSIRT are acknowledged and handled in accordance with established security processes.

Contact: 📧 Email: psirt@sealsq.com 

Due to the sensitive nature of such reporting, SEALSQ PSIRT highly encourages all potential security vulnerability reports to be sent encrypted, using the SEALSQ PSIRT PGP/GPG Key. 

  • Fingerprint: 8A97 F863 DD84 6242 790B 684A 4CBC 17FA 88BF B7C5

  • Public Key File

Software to encrypt messages by PGP/GPG may be obtained from: GnuPG (free) https://www.gnupg.org 

To help us assess and respond efficiently, reporters are encouraged to include, when available:

  • Product name and version
  • A detailed description of the issue
  • Steps to reproduce the vulnerability
  • Potential impact and attack scenario, if known

Reports may be submitted in English or French.

3- Responsible Disclosure & Handling Process

SEALSQ follows a responsible vulnerability disclosure process that includes:

  • Acknowledgment of the report

  • Technical evaluation and risk assessment

  • Development of mitigation and/or remediation measures when applicable

  • Coordinated communication with affected parties and authorities when required

Detailed vulnerability handling procedures are maintained internally as part of SEALSQ’s certified security management system.
PSIRT-Process-1
PSIRT-COMPLIANCE

4- Compliance & Standards Alignment

SEALSQ’s PSIRT process is aligned with European cybersecurity regulations and recognized standards, including the EU Cybersecurity Act (Regulation (EU) 2019/881) and Common Criteria–related vulnerability handling requirements.

Detailed vulnerability handling procedures are maintained internally as part of SEALSQ’s certified security management system.

5- Security Support & Lifecycle Information

Security information and vulnerability handling guidance remain publicly available for the duration required by applicable certifications and regulatory frameworks.
PSIRT-Security Support & Lifecycle Information
PSIRT-Authorities Coordination-1

6-  Public Advisories & Authorities Coordination

When appropriate, SEALSQ may coordinate vulnerability disclosure with relevant authorities, certification bodies, and industry partners, in accordance with applicable regulations.