At Silicon Labs, we are committed to working collaboratively with the security research community, customers, and partners to identify and address vulnerabilities in a responsible and timely manner. As a CVE Numbering Authority (CNA), Silicon Labs follows industry practices for vulnerability disclosure and management, ensuring transparency and accountability throughout the process.
This FAQ page is designed to provide clear guidance on how to report potential security issues, what to expect during the disclosure process, and how we handle vulnerability disclosures. Whether you're a researcher, developer, or customer, we appreciate your efforts in helping us maintain a secure ecosystem.
Reporting Vulnerabilities
To report a product security vulnerability, please submit details through our secure vulnerability reporting form or email our PSIRT at product-security@silabs.com. Include a detailed description of the vulnerability, steps to reproduce it, and any supporting materials (e.g., proof-of-concept code). For secure communication, use our PSIRT PGP Key. We encourage responsible disclosure and will acknowledge your submission within 3 business days.
Please provide:
- A clear description of the vulnerability.
- Affected product(s) and version(s).
- Steps to reproduce the issue.
- Potential impact (e.g., data breach, system compromise).
- Any proof-of-concept code or screenshots (if applicable).
- Your contact information for follow-up.
- Attribution details, if attribution is preferred.
This helps our PSIRT assess and address the issue quickly.
Yes, we accept anonymous submissions. However, providing contact information allows us to follow up for clarification and, if applicable, discuss eligibility for our Bug Bounty Program.
Disclosure Process
Disclosure: We publish a security advisory to notify subscribed users of the vulnerability. To learn how to sign up for security advisory notifications, click here.
Yes, we adhere to coordinated vulnerability disclosure principles. We work with reporters to validate and remediate vulnerabilities before public disclosure, minimizing risk to our customers. We aim to publish security advisories alongside available fixes. In certain cases, a fix may not be released.
Once a security advisory is released by Silicon Labs, the advisory cannot be distributed through message boards, social media, direct messaging, or other informal channels. However, researchers are welcome to reference the published CVEs in their communications or publications.
You can view previously published security advisories in our Community portal (you need to be logged in). You can filter security advisories based on product categories. More details on this topic can be found here.
You can sign up for email notifications when a new Security Advisory is published here. You will receive access to all security advisories published, but will only receive notifications when a new advisory is published based on the product categories you select when subscribing to notifications.
Bug Bounty Program
Yes, our Bug Bounty Program rewards eligible submissions based on the vulnerability’s severity and impact. See our Bug Bounty Program page for eligibility, scope, and reward details.
Qualifying vulnerabilities include those affecting our enterprise software, semiconductor products, firmware, or related software. Some common vulnerabilities that we have rewarded have been related to:
- Remote code execution
- Privilege escalation
- Memory corruption
- Cryptographic flaws
- Buffer overflows
Non-qualifying issues include low-impact bugs (e.g., minor misconfigurations). See our program scope for details.
Information on how to join and submit findings to the Silicon Labs Bug Bounty Program can be found here.
Enterprise-Related Questions
To report an enterprise asset security vulnerability, please go through our Bug Bounty Program. Please do not send an email to our PSIRT, as that is a channel specific to product security vulnerabilities. See our Bug Bounty Program page for eligibility, scope, and reward details.
General Questions
Our Product Security Incident Response Team (PSIRT) manages the identification, assessment, and resolution of security vulnerabilities in our products. We coordinate with researchers, customers, and partners to ensure timely fixes and transparent communication.
We prioritize fixes using a combination of industry standards and internal assessments. We use the Common Vulnerability Scoring System (CVSS), which helps us evaluate the severity of each issue. Critical vulnerabilities receive the highest priority, and we aim to disclose and resolve them within 90 days.
Yes, we are a CNA (CVE Numbering Authority). This allows us to assign CVEs to confirmed vulnerabilities when appropriate, allowing for public disclosure of security issues. We include relevant CVE numbers in each security advisory.
We take data privacy seriously. Reports are handled confidentially, stored securely, and shared only with team members involved in resolution. Use our PSIRT PGP Key for encrypted submissions. See our Security Vulnerability Disclosure Policy and Privacy Notice for details.