English
Ask AI
AskAI
Ask AI

Security Vulnerability Disclosure Policy

If you have found a vulnerability, please submit your bug via our Silabs Community Page.

Silicon Laboratories Inc. (“Silicon Labs”, “we”, or “our”) looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

At Silicon Labs, the security of our products and infrastructure is critical to our business. To lead in secure IoT technology, Silicon Labs recognizes the important role that security researchers play in keeping our organization, our customers, and our users safe. We believe that working with skilled security researchers is critical in identifying and remediating weaknesses in any technology. If you’ve identified a potential security vulnerability in our product, services, or infrastructure, please report it to us right away. We look forward to working with you and doing our best to quickly address the issue.


Vulnerability Communication

Vulnerabilities or suspicious functionality in products or software may be reported by customers, Silicon Labs employees, researchers, or other interested parties. When a security vulnerability is suspected, please register with an account in our Community and select the "Vulnerability Disclosure" tab, please review the content on our Report a Vulnerability page for step-by-step instructions on how to submit a vulnerability. The report will be received by Silicon Labs, and the Silicon Labs PSIRT/ESIRT team will be notified of your submission. An acknowledgment of the report and triage of the bug will follow our targeted response times. Information on how to subscribe to security notices can be found here.


Response Targets

Silicon Labs will make reasonable efforts to meet the following SLAs for participants in the program:

Type of Response ESIRT SLA in business days PSIRT SLA in business days
First Response 3 days 3 days
Time to Triage 15 days 15 days
Time to Resolution depends on severity and complexity depends on severity and complexity

Additionally, we will try to keep you informaed about our progress throughout the process.

Disclosure Policy

  • As a condition of participation, you agree that you will not discuss this program or disclose any vulnerabilities (even resolved ones) outside of the program without express consent from Silicon Labs.


Program Guidelines

To protect our company, customers and users, you must accept and comply with the following guidelines:

  • Do not disclose the potential security issue to any third party without Silicon Labs’ prior written permission.
  • Reports must provide enough detail with reproducible steps. If a report is not detailed enough to reproduce the reported issue, the issue may not be marked as triaged.
  • Only one vulnerability per report unless vulnerabilities need to be chained to provide impact.
  • If duplicates are received, only the first report received will be triaged (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
  • Ensure your research complies with all relevant laws and regulations. Conduct research only on Silicon Labs products and websites, in accordance with their terms and conditions (e.g., Community Terms of Use, Master Service License Agreement, Terms and Conditions of Sale) and all publicly posted policies, guidelines, and instructions.
  • Avoid privacy violations, destruction of data, and interruption or degradation of our services. Only interact with accounts you own or with explicit permission of the account holder.
  • Do not engage in any denial of service.
  • Do not engage in any spamming of our customers or potential customers.
  • Do not engage in social engineering (including phishing) of Silicon Labs employees or contractors.
  • Do not engage in any physical attempts against Silicon Labs property or data centers.
  • Do no harm. Report vulnerabilities promptly and act for the common good; never exploit others without permission. If you confirm a vulnerability (e.g., proof-of-concept achieved) or encounter sensitive data—including personal, financial, proprietary, or trade-secret information—stop immediately and report it. Do not access, copy, modify, store, transfer, or further explore the data. Upon reporting, promptly delete any such information in your possession.
  • Once a report is submitted, Silicon Labs commits to providing prompt acknowledgement of receipt of all reports (within three business days of submission) and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.
  • You give us the right to use the content of your report for any purpose.
  • Submission of a report does not create a consumer, employment, or agency relationship between you and Silicon Labs.
  • Silicon Labs may update this policy from time to time.


Out of Scope Vulnerabilities for Web Assets

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Clickjacking on pages with no sensitive actions.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Rate limiting or bruteforce issues on non-authentication endpoints.
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies.
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Tabnabbing
  • Open redirect - unless an additional security impact can be demonstrated.
  • Issues that require unlikely user interaction.


Safe Harbor

Any activities conducted in accordance with the restrictions and guidelines outlined in this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.


Bug Bounty Program

Coming soon in 2026
 

Resources for Researchers to Use

Reference Title Link Purpose
Community Link https://community.silabs.com/s/ Reference for technical support
Project Page for Users https://community.silabs.com/s/all-blogs?language=en_US Blogs for various projects and timelines
Ordering Kits https://www.silabs.com/development-tools
https://www.silabs.com/products/buy-sample		 How to order kits for testing

Thanks for helping keep Silicon Labs and our users safe!

Your File Will Start Downloading Shortly

Thank you for downloading .

If you have any issues downloading, please contact sales support or product technical support.

Close
Loading Results
Close