Security Vulnerability Disclosure Policy

Purpose

The purpose of this document is to describe the expectations and limitations regarding addressing and disclosing of security incidents related to Silicon Lab products.

 

Scope

This document applies to the following scenarios:

  • Newly discovered security vulnerabilities that occur with Silicon Labs products and are not already covered in published documents/forums
  • Silicon Lab collateral (documents or products) that are being used or accessed in an unexpected manner

 

Abbreviations/Definitions

  • PCN – Product Change Notification
  • PSIRT – Product Security Incident Response Team
  • RFI – Request for Information

 

Responsibilities

  • Customers, Researchers - report suspected vulnerabilities to Silicon Labs
  • Sales, FAEs – gather information and related vulnerability details from the customer
  • Applications – assess and confirm reproducibility related to security issue

 

Reporting Vulnerability

Vulnerability Communication

Vulnerabilities or suspicious functionality in products or software may be reported by customers, Silicon Labs employees, researchers, or other interested parties.

In addition, at least one PSIRT member will always be designated to subscribe to the CERT and CVE security feeds and constantly monitor those feeds for vulnerabilities that might affect Silicon Labs products and feed those into the PSIRT Process.

When a security vulnerability is suspected an email to be sent to product-security@silabs.com.  An acknowledgment from the PSIRT will occur within 72 hours of receipt of the finding.  Reporting content should include:

  • The product(s) showing the vulnerability
  • Product application/usage summary
  • Steps and/or environment needed to reproduce/cause the issue

Further dialog on the issue will be pursued with the reporting entity by the PSIRT in a secure manner using a PGP/GPG key available here.

 

PSIRT Process

The PSIRT works with other Silicon Labs groups including Applications, Developers, Sales and Marketing to assess reported vulnerabilities, perform technical analysis and determine an appropriate response.  The key processes for addressing vulnerabilities include:

  • Triage:  This involves active dialog between the PSIRT and the reporting entity, Applications Support team, as well as the Engineering Design team, to determine what is needed to reproduce the vulnerability.
  • Technical Analysis and Disposition: Includes the actual confirmation of the validity of the security vulnerability based on the issue’s evaluation and/or reproduction.  The scope and impact or severity of the vulnerability are confirmed as well as a resolution or disposition decision.  This may include a fix, workaround or acceptance of the identified vulnerability.
  • Output:  The level of disclosure beyond the reporting entity will depend on the severity and scope of the vulnerability.

 

Researcher Expectations

When the PSIRT is contacted by researcher(s) to address discovered vulnerabilities issues, the expectation is that there will be collaboration between the PSIRT and the researcher(s) to evaluate the issue. From there the PSIRT works within Silicon Labs to determine a best course of action to address/resolve the issue.  In the event of it being necessary to discuss confidential information necessary to analyze the issue, the PSIRT will provide a mutual NDA for signing both by the researcher(s) and the PSIRT so that the information discussed is kept private.

As the issue goes through resolution, the PSIRT keeps the researcher updated on targeted time frames to release a fix as well as publish a security advisory.  It is expected that there is some agreement between the researcher(s) and the PSIRT on the targeted time frame for sharing the vulnerability with others. Researchers are usually recognized for their input by being credited in the respective security advisory that is released by Silicon Labs.  There is no bug bounty program in place at Silicon Labs.

 

Disclosure Statement

Silicon Labs intends to provide customers with the latest and accurate documentation about security-related concerns associated with our products.  There are multiple methods for disclosing security-related updates including:

  • PCNs – Product Change Notifications
  • Release Notes – Documents provided with the release of software
  • Direct Customer Communication – Communication through Sales or Field Application Engineers
  • Security Advisories – Technical summaries about a security issue and the recommended action for addressing it

The above notification types may be signed up for at www.silabs.com under the customer profile settings.

Use of products, by customers, must follow the provided specifications for operation to ensure proper functionality.  In the event of a reported security concern, Silicon Labs will analyze the details to assess the impact on Silicon Labs products or software, determine the associated technical cause, and provide an appropriate resolution and/or disclosure.

Silicon Labs reserves the right to adjust the (software/hardware) product if necessary for security or reliability reasons.   Information sharing on vulnerabilities may take the form of release notes, PCNs, advisories, application notes, and/or FAQs.

For details on the Terms & Conditions or product-specific disclaimer content, please visit www.silabs.com/terms. Requests for product-related content not readily available at www.silabs.com may be requested through our authorized sales channel.  

Close
Loading Results
Close