The purpose of this document is to describe the expectations and limitations regarding addressing and disclosing of security incidents related to Silicon Lab products.
This document applies to the following scenarios:
Vulnerabilities or suspicious functionality in products or software may be reported by customers, Silicon Labs employees, researchers, or other interested parties.
In addition, at least one PSIRT member will always be designated to subscribe to the CERT and CVE security feeds and constantly monitor those feeds for vulnerabilities that might affect Silicon Labs products and feed those into the PSIRT Process.
When a security vulnerability is suspected an email to be sent to email@example.com. An acknowledgment from the PSIRT will occur within 72 hours of receipt of the finding. Reporting content should include:
Further dialog on the issue will be pursued with the reporting entity by the PSIRT in a secure manner using a PGP/GPG key available here.
The PSIRT works with other Silicon Labs groups including Applications, Developers, Sales and Marketing to assess reported vulnerabilities, perform technical analysis and determine an appropriate response. The key processes for addressing vulnerabilities include:
When the PSIRT is contacted by researcher(s) to address discovered vulnerabilities issues, the expectation is that there will be collaboration between the PSIRT and the researcher(s) to evaluate the issue. From there the PSIRT works within Silicon Labs to determine a best course of action to address/resolve the issue. In the event of it being necessary to discuss confidential information necessary to analyze the issue, the PSIRT will provide a mutual NDA for signing both by the researcher(s) and the PSIRT so that the information discussed is kept private.
As the issue goes through resolution, the PSIRT keeps the researcher updated on targeted time frames to release a fix as well as publish a security advisory. It is expected that there is some agreement between the researcher(s) and the PSIRT on the targeted time frame for sharing the vulnerability with others. Researchers are usually recognized for their input by being credited in the respective security advisory that is released by Silicon Labs. There is no bug bounty program in place at Silicon Labs.
Silicon Labs intends to provide customers with the latest and accurate documentation about security-related concerns associated with our products. There are multiple methods for disclosing security-related updates including:
Use of products, by customers, must follow the provided specifications for operation to ensure proper functionality. In the event of a reported security concern, Silicon Labs will analyze the details to assess the impact on Silicon Labs products or software, determine the associated technical cause, and provide an appropriate resolution and/or disclosure.
Silicon Labs reserves the right to adjust the (software/hardware) product if necessary for security or reliability reasons. Information sharing on vulnerabilities may take the form of release notes, PCNs, advisories, application notes, and/or FAQs.
For details on the Terms & Conditions or product-specific disclaimer content, please visit www.silabs.com/terms. Requests for product-related content not readily available at www.silabs.com may be requested through our authorized sales channel.
Please select at least one column.