At Silicon Labs, we are committed to working collaboratively with the security research community, customers, and partners to identify and address vulnerabilities in a responsible and timely manner. As a CVE Numbering Authority (CNA), Silicon Labs follows industry practices for vulnerability disclosure and management, ensuring transparency and accountability throughout the process.
This FAQ page is designed to provide clear guidance on how to report potential security issues, what to expect during the disclosure process, and how we handle vulnerability disclosures. Whether you're a researcher, developer, or customer, we appreciate your efforts in helping us maintain a secure ecosystem.
Reporting Vulnerabilities
To report a product security vulnerability, please register and create an account at community.silabs.com and click on the "Vulnerability Disclosure" tab on the top right-hand corner to select the "Vulnerability Report Submission" option in the drop-down menu. Alternately, you can also email our PSIRT at product-security@silabs.com. Please include a detailed description of the vulnerability, steps to reproduce it, and any supporting materials (e.g., proof-of-concept code) with every submission. For secure communication, use our PSIRT PGP Key. We encourage responsible disclosure and will acknowledge your submission within 3 business days.
To report an enterprise asset security vulnerability, please register and create an account at community.silabs.com and click on the "Vulnerability Disclosure" tab on the top right-hand corner to select the "Vulnerability Report Submission" option in the drop-down menu. Alternately, you can also email our ESIRT at DL.Enterprise_Security@silabs.com. Please do not send an email to our PSIRT, as that is a channel specific to product security vulnerabilities. We encourage responsible disclosure and will acknowledge your submission within 3 business days.
Please provide:
- A clear description of the vulnerability.
- Affected product(s) and version(s).
- Steps to reproduce the issue.
- Potential impact (e.g., data breach, system compromise).
- Any proof-of-concept code or screenshots (if applicable).
- Your contact information for follow-up.
- Attribution details, if attribution is preferred.
- For coding vulnerabilities, please point to the exact location of the vulnerable files
This helps our PSIRT assess and address the issue quickly.
Yes, we accept anonymous submissions. However, providing contact information allows us to follow up for clarification and, if applicable, discuss eligibility for our Bug Bounty Program, which is coming up in early 2026.
Disclosure Process
Disclosure: We publish a security advisory to notify subscribed users of the vulnerability. To learn how to sign up for security advisory notifications, click here.
Yes, we adhere to coordinated vulnerability disclosure principles. We work with reporters to validate and remediate vulnerabilities before public disclosure, minimizing risk to our customers. We aim to publish security advisories alongside available fixes. In certain cases, a fix may not be released.
Once a security advisory is released by Silicon Labs, the advisory cannot be distributed through message boards, social media, direct messaging, or other informal channels. However, researchers are welcome to reference the published CVEs in their communications or publications.
You can view previously published security advisories in our Community portal (you need to be logged in). You can filter security advisories based on product categories. More details on this topic can be found here.
You can sign up for email notifications when a new Security Advisory is published here. You will receive access to all security advisories published, but will only receive notifications when a new advisory is published based on the product categories you select when subscribing to notifications.
Bug Bounty Program
Coming Soon in 2026
General Questions
Our Product Security Incident Response Team (PSIRT) manages the identification, assessment, and resolution of security vulnerabilities in our products. We coordinate with researchers, customers, and partners to ensure timely fixes and transparent communication.
We prioritize fixes using a combination of industry standards and internal assessments. We utilize the Common Vulnerability Scoring System (CVSS) 4.0, which enables us to assess the severity of each issue. Critical vulnerabilities receive the highest priority, and we aim to disclose and resolve them within 90 days.
Yes, we are a CNA (CVE Numbering Authority). This enables us to assign CVEs to confirmed vulnerabilities when appropriate, facilitating the public disclosure of security issues. We include relevant CVE numbers in each security advisory.
We take data privacy seriously. Reports are handled confidentially, stored securely, and shared only with team members involved in resolution. Use our PSIRT PGP Key for encrypted submissions. See our Security Vulnerability Disclosure Policy and Privacy Notice for details.