ABCD
1
XML Tag (XML format)Label (Readable format)Consumer ExplanationOptional Additional Information / Linked Information
2
Security Mechanisms
3
Security Updates (manin values) - Consumer explanation: How device receives security updates
4
automaticAutomaticDevice will automatically receive security updates1) What controls users have related to updates (e.g., approve, reject, update notifications)
2) Why updates are important to be installed and to what types of risks users would be exposed if updates are not installed
3) Description of how manufacturer secures updates
4) How users should install updates
5) Justification as to why the device does not get updated
6) End-of-life and hardware replacement policy and what users should expect after the update expiration date (e.g., limited functionality, vulnerability management, paying extra fee for updates)
7) Justification for update expiration date
5
manualManualUser needs to manually install security updates
6
consent_basedConsent based User will be asked whether to update the device
7
no_updateNo security updatesDevice will not receive any security updates
8
not_disclosedNot disclosed
9
otherOther [text box]
10
Optional sub-attributes for automatic, manual, consent based, other
11
expiration_dateAvailable until at least dateThe minimum length of time which for which device receives security updates
12
Access Control (main values) - Consumer explanation: How device can be accessed and who is allowed to access it
13
passwordPasswordPassword is required to access the device1) Tips on how to make strong passwords
2) How users can reset their passwords
3) What the password expiration policy is
4) If the type of access control is multi-factor authentication, what types of factors/pieces of evidence are required
5) If the type of access control is biometric data, what characteristics of the user are required
6) Justification as to why no authentication method is being used
7) Justification as to why credentials have default values, if any
8) Justification as to why users cannot set or change the credentials
9) At which stage users can/should set or change the credentials
10) Justification as to why users need to have an account to access the mobile application/device
11) If it is allowed to create more than one account, what levels of access and privilege each account can have
12) If it is allowed to create more than one account, how many accounts can be created to access the device/mobile application
13) Justification as to why no user account is needed to access the device/mobile application
14
biometricBiometricUser's physical or behavioral characteristics are required to access the device
15
MFAMulti-factor authenticationAt least two factors are required to access the device, for example a password and a confirmation from a previously registered phone
16
no_controlNo control over accessAnyone can access the device without a password or other authenticator
17
multi_accountMultiple user accounts are allowedTo access the device, user needs to create an account, multiple user accounts may be created
18
single_accountSingle user account is requiredTo access the device, user needs to create an account
19
optional_accountNo user account is requiredUser is allowed but not required to create a user account to access the device
20
no_accountNo user account is allowed User is not allowed to create a user account to access the device
21
not_disclosedNot disclosed
22
otherOther [text box]
23
Optional sub-attributes for password
24
factory_defaultFactory defaultThe credentials required to access the device have default values that are initially generated by the manufacturer
25
user_generatedUser generatedUser needs to create their own credentials to access the device
26
Optional sub-attributes for factory default, user generated
27
user_changeableUser changeableUser may change the credentials that are required to access the device (for security purposes, make sure to change all default credentials before using the device)
28
not_user_changeableNot changeable by userUser cannot change the credentials that are required to access the device
29
Security Oversight (main values) - Consumer explanation: Manufacturer's use of security audits related to this device
30
internal_auditAudits performed by internal security auditors 1) Who the internal or external auditors are
2) How frequent the audits happen
3) Findings of the audits
4) What the manufacturer will do with the findings of the audits
31
external_auditAudits performed by third-party security auditors
32
internal_external_auditAudits performed by internal and third-party security auditors
33
no_auditNo security audits
34
not_disclosedNot disclosed
35
Ports and Protocols (main values) - Consumer explanation: List and justification of all the physical interfaces, network ports, and listening services
36
link[Open text field with the following text in grey and not editable]: www.NS200.example.com/ports1) List of all interfaces that the device supports
2) List of all protocols that are being used
3) Justification for having each interface and protocol
4) What access is provided across each of the interfaces
5) What safeguards are designed for each interface to prevent it from being misused
6) Guidance on how users can securely setup their device
7) Manufacturer Usage Description (MUD) file, describing how device normally behaves in the network
8) Information on how the device's functions within the network may affect users' privacy
37
not_disclosedNot disclosed
38
Hardware Safety (main values) - Consumer explanation: Safeguards the manufacturer has in place to protect the device hardware from tampering
39
link[Open text field with the following text in grey and not editable]: www.NS200.example.com/hw_safety1) Features that have been implemented to prevent unauthorized tampering with the device
2) What are the indications of physical tampering
3) How device informs users when tampering occurs
40
not_disclosedNot disclosed
41
Software Safety (main values) - Consumer explanation: Safeguards the manufacturer has in place to secure the software of the device
42
link[Open text field with the following text in grey and not editable]: www.NS200.example.com/sw_safety1) How sensitive information that is being stored and logged in the software is being protected
2) What types of risks are introduced via the libraries the binary links to, either directly or indirectly
3) List of software safety features and secure toolchains against vulnerabilities and crashes, their justification, and how they are being implemented
4) Security Development Lifecycle (SDL) process that includes the process the manufacturer designed to ensure the security considerations throughout the software life cycle
5) The complexity of the code
6) Under fuzz testing, what is the code coverage, number of crashes, and type(s) of crashes were
7) How vulnerable the software is to algorithmic complexity attacks
43
not_disclosedNot disclosed
44
Personal Safety (main values) - Consumer explanation: Safeguards the manufacturer has in place to protect user against safety risks, including abuse and harassment
45
link[Open text field with the following text in grey and not editable]: www.NS200.example.com/user_safety1) List of mechanisms to ensure that any failure of the device, either through malware, lack of power, or coding flaw, does not result in safety risks
2) List of safety aspects of the product that affect users if the security is compromised
3) List of mechanisms that are considered in the product to protect users from abusive behavior
4) Guidelines to help users protect themselves against abusive behavior
5) Guidelines on how users can report incidents of abusive behavior
46
not_disclosedNot disclosed
47
Vulnerability Disclosure and Management (main values) - Consumer explanation: How transparent and timely the manufacturer has been in disclosing the discovered vulnerabilities, managing them, and mitigating their potential harms
48
link[Open text field with the following text in grey and not editable]: www.NS200.example.com/vul_report1) Discovered and reported vulnerabilities
2) While a patch is being created, what steps users should take to mitigate the potential risks of the vulnerability
3) How severe the vulnerabilities were
4) When vulnerabilities got discovered
5) When vulnerabilities got fixed
6) What steps the manufacturer took to fix the vulnerabilities
7) What harms did the vulnerabilities lead to
8) The steps involved in approving, signing, and distributing the patch/fix
9) The amount of time it takes for the manufacturer to review the reports of vulnerabilities
10) The average amount of time it takes for the manufacturer to fix a discovered vulnerability
11) The standard industry average time to patch vulnerabilities related to the specific device type
12) Justification on why it will take on average a specific number of months to patch a vulnerability
13) How the manufacturer notifies data subject who might be affected by a data breach
49
not_disclosedNot disclosed
50
Software and Hardware Composition List (main values) - Consumer explanation: Software and hardware components that are used in the device
51
link[Open text field with the following text in grey and not editable]: www.NS200.example.com/BOM1) List of all different software and hardware components that are used and their versions
2) List of vulnerabilities and patches for the software and hardware components
52
not_disclosedNot disclosed
53
Encryption and Key Management (main values) - Consumer explanation: How user's data will be protected using encryption
54
link[Open text field with the following text in grey and not editable]: www.NS200.example.com/encryption1) If the data stored on the device is encrypted, what encryption method is used
2) If the data stored on the mobile application is encrypted, what encryption method is used
3) If the data stored on the cloud is encrypted, what encryption method is used
4) If the data in transit between device and cloud is encrypted, what encryption method is used
5) If the data in transit between mobile application and cloud is encrypted, what encryption method is used
6) If no encryption is being used, an explanation as to why
7) How cryptographic keys are generated, stored, and managed
55
not_disclosedNot disclosed
56
Data Practices
57
Sensor Data Collection (main values) - Consumer explanation: Data types that the device sensors can collect
58
visualVisualDevice can collect visual data (e.g., video, still image)1) What information users can obtain from the company and how they can request to obtain a copy of the information
2) What steps users need to take to correct any false information about them
3) How users can enable the controls they have for each data type
4) Justification as to why no control is being offered for a sensor or a data type
5) What users should expect to happen if they opt in/out
59
audioAudioDevice can collect audio
60
locationLocationDevice can detect user's location
61
healthPhysiologicalDevice can measure information related to user's body and health status
62
motionMotionDevice can sense motion
63
magnetic_field_changeChanges to the magnetic fieldDevice can sense the changes to the magnetic field and find the position of an object
64
proximityPresenceDevice can detect the presence of nearby objects
65
pressurePressureDevice can sense the pressure applied
66
tamperingTampering effortsDevice can detect when it is unexpectedly moved or when someone is trying to open the case to access the device's internal parts
67
distanceDistanceDevice can sense ultrasonic sound waves to measure the distance to an object
68
levelLiquid levelDevice can sense the level of the liquid
69
lightLightDevice can detect the amount of light in the room
70
carbon_monoxideCarbon monoxideDevice can detect the amount of Carbon Monoxide in the air
71
waterHumidityDevice can detect the humidity to measure the amount of water in the air
72
water_qualityWater qualityDevice can sense the quality of water
73
smokeSmokeDevice can detect the presence of smoke in the air
74
temperatureTemperatureDevice can measure the current temperature of the room or inside the device
75
positionPositionDevice can measure the position of an object
76
not_disclosedNot disclosed
77
otherOther [text box]
78
Optional sub-attributes for all the values of "Sensor Data Collection", except "Not disclosed"
79
opt_in_collectionOption to opt inThe specified data type will not be collected unless user opts in
80
opt_out_collectionOption to opt outThe specified data type will be collected unless user opts out
81
Sensor Type (main values) - Consumer explanation: Types of sensors the device has
82
cameraCameraDevice is equipped with camera1) What types of controls users have for each sensor
83
microphoneMicrophoneDevice is equipped with microphone
84
accelerometerAccelerometerDevice is equipped with accelerometer
85
motion_sensorMotion sensorDevice is equipped with motion sensor
86
magnetometerMagnetometerDevice is equipped with magnetometer
87
occupancy_sensorOccupancy sensorDevice is equipped with occupancy sensor
88
proximity_sensorProximity sensorDevice is equipped with proximity sensor
89
bluetoothBluetoothDevice is equipped with bluetooth
90
tamper_switchTamper detection switchDevice is equipped with tamper detection switch
91
ultrasonicUltrasonicDevice is equipped with ultrasonic
92
ambient_light_sensorAmbient light sensorDevice is equipped with ambient light sensor
93
carbon_monoxide_sensorCarbon monoxide sensorDevice is equipped with carbon monoxide sensor
94
humidity_sensorHumidity sensorDevice is equipped with humidity sensor
95
photoelectric_sensorPhotoelectric sensorDevice is equipped with photoelectric sensor
96
split_spectrum_sensorSplit spectrum sensorDevice is equipped with split spectrum sensor
97
temperature_sensorTemperature sensorDevice is equipped with temperature sensor
98
apacitive_sensorCapacitive sensorDevice is equipped with capacitive sensor
99
optical_sensorOptical sensorDevice is equipped with optical sensor
100
not_disclosedNot disclosed