Report Details
The following information will help us to evaluate your submission as quickly as possible and can be submitted directly via email:
- Product(s) and software version(s) affected
- Vulnerability overview (e.g. buffer overflow, integer overflow, etc.)
- Issue description and impact (e.g. arbitrary code execution, information disclosure, etc.)
- Instructions to how to reproduce the issue
- A proof-of-concept (PoC)
Please send the security report to: security@airoha.com
Publication of Vulnerabilities
We regularly issue security bulletins to our customers in order to share security vulnerabilities and related code modifications. Such communications will oftentimes include attributions to reporters of those vulnerabilities unless those reporters request otherwise.
FAQ
-
How fast will you address security vulnerabilities?
We aim to address security issues and communicate them to our stakeholders within 90 days. While we strive to meet this deadline every time, there maybe unforeseen factors that prevent us from doing so. We will do our best to keep you updated throughout this process when appropriate.
-
Will I have to sign some kind of Non-Disclosure Agreement?
No
-
Can I submit a security report anonymously?
Yes, if you wish to stay anonymous we respect your privacy. We only require an email to enable us to reply. We do not require a name or other personally identifiable information in a submission. We do not keep further records of your identity in any further communication regarding the matter.
-
How does Airoha rate a vulnerability?
Airoha currently rates and evaluates the severity level of identified vulnerabilities based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1). In the specific cases where additional factors are not properly captured in the CVSS score, we reserve the right to deviate from these guidelines.
-
Can I use the encrypted channel to submit a security report?
Yes, please use our PGP Public Key to send the encrypted security report to security@airoha.com.
Disclosure Policy
Airoha is committed to designing and offering innovative products that are secure and reliable. We believe it is of utmost importance that our customers can enjoy Airoha products with confidence that the confidentiality and integrity of their data will be maintained by including but not limited to providing timely information, guidance and remediation of vulnerabilities in our products. In order to maximize the effectiveness and efficiency of analysis, remediation and disclosure of security vulnerability related to our products, we urge security researchers to follow this Vulnerability Disclosure Policy ("VDP") when reporting the security vulnerability you have identified.
General Rules for Vulnerability Submissions
- Vulnerabilities must be attributable to Airoha technologies.
- Security issue must be unknown to and communicated exclusively with Airoha.
- All information about the security issue discovered must remain in confidence and private during the coordinated vulnerability disclosure time frame.
- Make a good faith effort to avoid privacy violations, disruption to production environment, and destruction or manipulation of data.
- Additional restrictions on vulnerability submissions may apply subject to applicable law.
- Your testing must not violate any law, or disrupt or compromise any data that is not your own. The Program is designed to be compatible with common vulnerability disclosure practices. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause us to be in breach of any of its legal obligations.
- Notwithstanding anything provided hereunder, we reserve the right to determine the eligibility of a submission at our sole discretion.
What You Can Expect From Us
- We aim to respond within a maximum of 3 to 5 business days upon receiving the initial report. If you do not hear back from us after a week you submitted the initial report, please send it to us again.
- We will make best effort to address the security vulnerabilities by including but not limited to releasing patches to our OEM partners within 90 days and communicate with the stakeholders as needed.
Vulnerability Severity
Airoha currently rates and evaluates the severity level of identified vulnerabilities based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1). In the specific cases where additional factors are not properly captured in the CVSS score, we reserve the right to deviate from these guidelines.
Disclaimer
We reserve the right to change or update this VDP and the vulnerability disclosure processes in association with the VDP without notice at any time. Please also refer to Legal Notice and Privacy Policy for other legal points.