Warnings concerning vulnerabilities in information technology products and services
Warnings about malware
Warnings related to the loss of data or unauthorised access to data
The BSI issues warnings in accordance with section 7 of the BSIG in cases where a manufacturer has taken inadequate action (or none at all) to counter the threat posed by a vulnerability that has come to light.
The following list covers the most recent warnings from the last six months.
If a manufacturer has taken suitable action itself or publicly recommended an appropriate course of action, the corresponding BSI warning pursuant to Section 7 of the BSIG will be archived along with a note on the manufacturer's response after one month. If the manufacturer takes no appropriate action, the BSI warning will be archived six months after its initial publication or after the last update made to the warning. If an archived BSI warning is found to be erroneous or to contain information that is inapplicable, it will also be updated accordingly.
Archiving does not automatically nullify a warning: If an individual user fails to implement the actions recommended by the manufacturer, this user will remain exposed to the threat in question.
Accordingly, the BSI provides information about the findings of tests conducted on information technology products. It also issues warnings about vulnerabilities in information technology products and services, as well as on malware, data loss, and unauthorised data access.
FAQ about BSI warnings in accordance with Section 7 of the BSIG
Unlike the BSI's other information products, which generally reference information and measures from a manufacturer, when a BSI warning pursuant to Section 7 BSIG is published, the manufacturer has not established any measures or only insufficient or untimely measures to remedy or mitigate the threat resulting from the product.
The process of issuing and publishing a BSI warning pursuant to Section 7 BSIG can be triggered by a variety of events. For example, when a third party forwards its findings on to the BSI, as a result of internal analyses or investigations by the BSI, or through publicly accessible sources. The relevant situation is verified and assessed using fixed processes.
In principle, the BSI attempts to contact the manufacturer in good time before publication of the BSI warning pursuant to Section 7 BSIG, inform the manufacturer about the matter and set a reasonable deadline by which the manufacturer must provide a statement. Any findings resulting from this communication are immediately incorporated into the creation of the BSI warning pursuant to Section 7 BSIG or may lead to the BSI warning pursuant to Section 7 BSIG not being sent provided the manufacturer's intended measures are deemed appropriate, adequate and timely by the BSI.
If the manufacturer allows the reasonable deadline stated in the previous answer to pass without reacting, or if delaying would represent a threat, the BSI will issue and publish the BSI warning pursuant to Section 7 BSIG on the basis of the information available at the time. If the manufacturer implements appropriate measures or provides relevant information at a later point, this will be recorded as an update to the BSI warning.
There are overlaps and interfaces. Put simply, a CVD occurs when the manufacturer responds to the BSI's attempts to make contact promptly and reaches mutual agreement with the BSI on a joint course of action. This could take several months to process. In this case, no BSI warning is created according to Section 7 of the Federal Office for Information Security Act (BSIG); the manufacturer's actions are referred to instead, or no BSI action is taken at all. If the manufacturer does not respond promptly or at all, the BSI initiates the process of creating and publishing a BSI warning according to Section 7 of the Federal Office for Information Security Act. This can also be done as part of an on-going CVD process if insurmountable differences arise between the manufacturer and the BSI; such differences usually stem from the BSI assessing the manufacturer's action to be insufficient.
The BSI does not issue explicit all-clears. Even if the manufacturer provides security updates or implements or recommends other appropriate measures, the individual threat only changes for those users that implement the measures.
If a manufacturer has taken suitable action itself or publicly recommended an appropriate course of action, the corresponding BSI warning pursuant to Section 7 BSIG will be archived after one month. However, if the manufacturer takes no appropriate action, the BSI warning pursuant to Section 7 BSIG will only be archived six months after its initial publication or after the last update made to the warning.
The key steps are presented in this schematic diagram.
Cookies help us to provide our services. By using our website you agree that we can use cookies. Read more about our Privacy Policy and visit the following link: Privacy Policy