Security Vulnerability Disclosure Policy
If you have found a vulnerability, please submit your bug via our Submission Page
Silicon Laboratories Inc. (“Silicon Labs”, “we”, or “our”) looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.
At Silicon Labs, security of our products and infrastructure is critical to our business. To lead in secure IoT technology, Silicon Labs recognizes the important role that security researchers play in keeping our organization, our customers, and our users safe. We believe that working with skilled security researchers is critical in identifying and remediating weaknesses in any technology. If you’ve identified a potential security vulnerability in our product, services, or infrastructure, please report it to us right away. We look forward to working with you and doing our best to quickly address the issue.
Vulnerabilities or suspicious functionality in products or software may be reported by customers, Silicon Labs employees, researchers, or other interested parties. When a security vulnerability is suspected, complete the submission form. The report will be sent to HackerOne, and the Silicon Labs PSIRT/ESIRT team will be notified of your submission. An acknowledgment of the report and triage of the bug will follow our targeted response times.
Silicon Labs will make reasonable efforts to meet the following SLAs for participants in the program:
|Type of Response||ESIRT SLA in business days||PSIRT SLA in business days|
|First Response||3 days||3 days|
|Time to Triage||6 days||15 days|
|Time to Resolution||depends on severity and complexity||depends on severity and complexity|
- As a condition of participation, you agree that you will not discuss this program or disclose any vulnerabilities (even resolved ones) outside of the program without express consent from Silicon Labs.
- Additionally, by participating in the program, you agree that you will follow HackerOne's disclosure guidelines.
To protect our company, customers and users, you must accept and comply with the following guidelines:
- Do not disclose the potential security issue to any third party without Silicon Labs’ prior written permission.
- Reports must provide enough detail with reproducible steps. If a report is not detailed enough to reproduce the reported issue, the issue may not be marked as triaged.
- Only one vulnerability per report unless vulnerabilities need to be chained to provide impact.
- If duplicates are received, only the first report received will be triaged (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
- Avoid privacy violations, destruction of data, and interruption or degradation of our services. Only interact with accounts you own or with explicit permission of the account holder.
- Do not engage in any denial of service.
- Do not engage in any spamming of our customers or potential customers.
- Do not engage in social engineering (including phishing) of Silicon Labs employees or contractors.
- Do not engage in any physical attempts against Silicon Labs property or data centers.
- Once a report is submitted, Silicon Labs commits to provide prompt acknowledgement of receipt of all reports (within three business days of submission) and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.
- Submitted reports are received and processed by a third-party provider of Silicon Labs.
- You give us the right to use the content of your report for any purpose.
- Submission of a report does not create a consumer, employment, or agency relationship between you and Silicon Labs.
- Payment of any reward is made at the sole discretion of Silicon Labs.
- Silicon Labs may update this policy from time to time.
- By participating in this program, you agree that you will follow HackerOne's disclosure guidelines.
Out of Scope Vulnerabilities for Web Assets
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Rate limiting or bruteforce issues on non-authentication endpoints.
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies.
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Open redirect - unless an additional security impact can be demonstrated.
- Issues that require unlikely user interaction.
Any activities conducted in accordance with the restrictions and guidelines set forth in this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Bug Bounty Program
Silicon Labs partners with HackerOne to reward ethical hackers for stress testing our infrastructure and products.
For now, our Silicon Labs HackerOne bounty program is invitation-only, enabling us to prioritize response times and report quality. Any interested hacker may contact the HackerOne support team.
Please submit your bug via our Submission Page.
Thanks for helping keep Silicon Labs and our users safe!