Security Vulnerability Disclosure Policy

 

Silicon Labs looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

At Silicon Labs, security of our products and infrastructure is critical to our business. To lead in secure IoT technology, Silicon Labs recognizes the important role that security researchers play in keeping our organization, our customers, and our users safe. We believe that working with skilled security researchers is critical in identifying and remediating weaknesses in any technology. If you’ve identified a potential security vulnerability in our product, services, or infrastructure, please report it to us right away. We look forward to working with you and doing our best to quickly address the issue.

 

Scope

This document applies to the following scenarios:

  • Newly discovered security vulnerabilities that occur with Silicon Labs products, web assets, or enterprise infrastructure and are not already covered in published documents/forums.
  • Silicon Lab infrastructure, products or systems that are being used or accessed in an unexpected manner.

 

Abbreviations/Definitions

  • PCN – Product Change Notification
  • PSIRT – Product Security Incident Response Team
  • ESIRT – Enterprise Security Incident Response Team
  • RFI – Request for Information

 

Reporting a Vulnerability

Vulnerability Communication

Vulnerabilities or suspicious functionality in products or software may be reported by customers, Silicon Labs employees, researchers, or other interested parties.

When a security vulnerability is suspected, complete and submit the embedded form below. The report will be sent to HackerOne, and the Silicon Labs PSIRT/ESIRT team will be notified of your submission. An acknowledgment by HackerOne will occur within three business days of receipt of the report, and triage by Silicon Labs within six days.

 

Security Response Process

Our ESIRT and PSIRT work with other Silicon Labs groups including Applications, Developers, Sales and Marketing to assess reported vulnerabilities, perform technical analysis and determine an appropriate response. The key processes for addressing vulnerabilities include:

  • Triage: This involves active dialog between the ESIRT/PSIRT, HackerOne, the reporting entity, Applications Support team, as well as the Engineering Design team, to determine what is needed to reproduce the vulnerability.
  • Technical Analysis and Disposition: Includes the actual confirmation of the validity of the security vulnerability based on the issue’s evaluation and/or reproduction. The scope and impact or severity of the vulnerability are confirmed as well as a resolution or disposition decision. This may include a fix, workaround or acceptance of the identified vulnerability.
  • Output: The level of disclosure beyond the reporting entity will depend on the severity and scope of the vulnerability.

 

Response Targets

Silicon Labs will make reasonable efforts to meet the following SLAs for participants in the program:

Type of Response SLA in business days
First Response 3 days
Time to Triage 10 days
Time to Resolution depends on severity and complexity

Researcher Expectations

When HackerOne is contacted by researcher(s) to address discovered vulnerabilities issues, the expectation is that there will be collaboration between the Silicon Labs, HackerOne, and the researcher(s) to evaluate the issue. From there the ESIRT/PSIRT works within Silicon Labs to determine a best course of action to address or resolve the issue. In the event of it being necessary to discuss confidential information necessary to analyze the issue, Silicon Labs will provide a mutual NDA for signing both by the researcher(s), HackerOne, and Silicon Labs so that the information discussed is kept private.

As the issue goes through resolution, HackerOne keeps the researcher updated on targeted time frames to remediate or accept the security issue, and if needed, publish a security advisory for products. Researchers are usually recognized for their input by being credited in the respective security advisory that is released by Silicon Labs.

 

Program Guidelines

In order to protect our company, customers and users, you must accept and comply with the following guidelines:

  • Do not disclose the potential security issue to any third party without Silicon Labs’ prior written permission.
  • Reports must provide enough detail with reproducible steps. If a report is not detailed enough to reproduce the reported issue, the issue may not be marked as triaged.
  • Only one vulnerability per report unless vulnerabilities need to be chained to provide impact.
  • If duplicates are received, only the first report received will be triaged (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
  • Avoid privacy violations, destruction of data, and interruption or degradation of our services. Only interact with accounts you own or with explicit permission of the account holder.
  • Do not engage in any denial of service.
  • Do not engage in any spamming of our customers or potential customers.
  • Do not engage in social engineering (including phishing) of Silicon Labs employees or contractors.
  • Do not engage in any physical attempts against Silicon Labs property or data centers.
  • Once a report is submitted, Silicon Labs commits to provide prompt acknowledgement of receipt of all reports (within three business days of submission) and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.
  • Submitted reports are received and processed by a third-party provider of Silicon Labs.
  • You give us the right to use the content of your report for any purpose.
  • Submission of a report does not create a consumer, employment, or agency relationship between you and Silicon Labs.
  • Payment of any reward is made at the sole discretion of Silicon Labs.
  • Silicon Labs may update this policy from time to time.
  • By participating in this program, you agree that you will follow HackerOne's disclosure guidelines.

 

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Clickjacking on pages with no sensitive actions.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Rate limiting or bruteforce issues on non-authentication endpoints.
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies.
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Tabnabbing
  • Open redirect - unless an additional security impact can be demonstrated.
  • Issues that require unlikely user interaction.

 

Disclosure Statement for Products

Silicon Labs intends to provide customers with the latest and most accurate documentation about security-related concerns associated with our products. There are multiple methods for disclosing security-related updates including:

  • PCNs – Product Change Notifications
  • Release Notes – Documents provided with the release of software
  • Direct Customer Communication – Communication through Sales or Field Application Engineers
  • Security Advisories – Technical summaries about a security issue and the recommended action for addressing it

The above notification types may be signed up for at www.silabs.com under the customer profile settings.

Use of products, by customers, must follow the provided specifications for operation to ensure proper functionality. In the event of a reported security concern, Silicon Labs will analyze the details to assess the impact on Silicon Labs products or software, determine the associated technical cause, and provide an appropriate resolution and/or disclosure.

Silicon Labs reserves the right to adjust the (software/hardware) product if necessary for security or reliability reasons. Information sharing on vulnerabilities may take the form of release notes, PCNs, advisories, application notes, and/or FAQs.

For details on the Terms & Conditions or product-specific disclaimer content, please visit www.silabs.com/terms. Requests for product-related content not readily available at www.silabs.com may be requested through our authorized sales channel.

 

Safe Harbor

If Silicon Labs determines in its Sole Discretion that you have complied in all respects with the Vulnerability Disclosure Policy in reporting an issue to us, then it will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Thank you for helping keep Silicon Labs and our users safe!

Close
Loading Results
Close