At Silicon Labs, security of our products and infrastructure is critical to our business. To lead in secure IoT technology, Silicon Labs recognizes the important role that security researchers play in keeping our organization, our customers, and our users safe. We believe that working with skilled security researchers is critical in identifying and remediating weaknesses in any technology. If you’ve identified a potential security vulnerability in our product, services, or infrastructure, please report it to us right away. We look forward to working with you and doing our best to quickly address the issue.
This document applies to the following scenarios:
Vulnerabilities or suspicious functionality in products or software may be reported by customers, Silicon Labs employees, researchers, or other interested parties.
When a security vulnerability is suspected, complete and submit the embedded form below. The report will be sent to HackerOne, and the Silicon Labs PSIRT/ESIRT team will be notified of your submission. An acknowledgment by HackerOne will occur within three business days of receipt of the report, and triage by Silicon Labs within six days.
Our ESIRT and PSIRT work with other Silicon Labs groups including Applications, Developers, Sales and Marketing to assess reported vulnerabilities, perform technical analysis and determine an appropriate response. The key processes for addressing vulnerabilities include:
Silicon Labs will make reasonable efforts to meet the following SLAs for participants in the program:
|Type of Response||SLA in business days (ESIRT)||SLA in business days (PSIRT)|
|First Response||3 days||3 days|
|Time to Triage||6 days||depends on severity and complexity|
|Time to Resolution||depends on severity and complexity||depends on severity and complexity|
When HackerOne is contacted by researcher(s) to address discovered vulnerabilities issues, the expectation is that there will be collaboration between the Silicon Labs, HackerOne, and the researcher(s) to evaluate the issue. From there the ESIRT/PSIRT works within Silicon Labs to determine a best course of action to address or resolve the issue. In the event of it being necessary to discuss confidential information necessary to analyze the issue, Silicon Labs will provide a mutual NDA for signing both by the researcher(s), HackerOne, and Silicon Labs so that the information discussed is kept private.
As the issue goes through resolution, HackerOne keeps the researcher updated on targeted time frames to remediate or accept the security issue, and if needed, publish a security advisory for products. Researchers are usually recognized for their input by being credited in the respective security advisory that is released by Silicon Labs.
In order to protect our company, customers and users, you must accept and comply with the following guidelines:
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Silicon Labs intends to provide customers with the latest and most accurate documentation about security-related concerns associated with our products. There are multiple methods for disclosing security-related updates including:
Use of products, by customers, must follow the provided specifications for operation to ensure proper functionality. In the event of a reported security concern, Silicon Labs will analyze the details to assess the impact on Silicon Labs products or software, determine the associated technical cause, and provide an appropriate resolution and/or disclosure.
Silicon Labs reserves the right to adjust the (software/hardware) product if necessary for security or reliability reasons. Information sharing on vulnerabilities may take the form of release notes, PCNs, advisories, application notes, and/or FAQs.
For details on the Terms & Conditions or product-specific disclaimer content, please visit www.silabs.com/terms. Requests for product-related content not readily available at www.silabs.com may be requested through our authorized sales channel.
If Silicon Labs determines in its Sole Discretion that you have complied in all respects with the Vulnerability Disclosure Policy in reporting an issue to us, then it will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Thank you for helping keep Silicon Labs and our users safe!