Report Product Security Vulnerabilities

Vulnerability Handling

The NXP Product Security Incident Response Team (PSIRT) responds to reported security vulnerabilities in NXP products. Working with members of the security community and customers, the PSIRT works to best ensure that security vulnerabilities affecting NXP products are documented and solutions are released in a responsible fashion. NXP is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity and mitigation.

Reporting a Potential Security Vulnerability

If you believe you have discovered a potential security vulnerability in an NXP product, please contact PSIRT at psirt@nxp.com. NXP strives to send you a confirmation of receipt within 24 hours, which may during weekends and holidays be extended to 72 hours if the problem is on first sight not super critical. If you do not get a response within that time, please resend your message. It is important to include the following information:

  • The products and versions affected
  • Detailed description of the vulnerability
  • Information on known exploits

Vulnerability information is extremely sensitive. The PSIRT strongly recommends that all security vulnerability reports sent to NXP be encrypted using the PSIRT PGP/GPG Key.

PGP / GPG key

  • Fingerprint: B7C9 5E6D CA57 3706 EA6C 6E2E A85D 0C62 3BC0 6810
  • PGP / GPG key: Key

Software to PGP/GPG encrypt messages may be obtained from:

Scope of security incidents handled by PSIRT

The following cases are in scope of PSIRT:

  • Security incidents in NXP products (hardware or software).
  • Flaws in NXP documents regarding security information or recommendations (e.g. datasheets and application notes).
  • Security sensitive NXP documents or security relevant information regarding NXP found on places where they should not be.
  • Security sensitive NXP products which are found on places where they should not be.

Vulnerability Handling Process

Security vulnerabilities in NXP products are actively managed through the following process. The time to respond varies based on the scope of the issue. The process consists of four major steps:

Reporting: The process begins when the PSIRT becomes aware of a potential security vulnerability in an NXP product. The reporter receives an acknowledgement and updates throughout the handling process.

Evaluation: The PSIRT confirms the potential vulnerability, assesses the risk, determines the impact and assigns a processing priority. If the vulnerability is confirmed, the priority determines how the issue is handled throughout the remaining steps in the process.

Solution: Working with PSIRT, the product team develops a solution that mitigates the reported security vulnerability. Solutions will take different forms based on the vulnerability. Because of the nature of NXP products – mostly silicon products where firmware is in ROM -, very often the solution can only be provided in a next version of the chips and the short term solution will consist of recommending security measures to be applied in systems using the NXP product.

Communication: As said above, because of the nature of the NXP products, the solution to systems using the affected products often needs to be found in additional counter measures in those systems. The communication on the vulnerability and solutions will in most cases be done directly towards the affected customers. For previously unknown or unreported issues, NXP will acknowledge the reporter of the issues (unless the reporter requests otherwise).

Responsible disclosure

NXP is committed to work with the reporter of the vulnerability to establish what can be a responsible disclosure by the reporter. The ability to upgrade / patch NXP’s products in the field is totally different than for e.g. PCs. NXP’s products are chips with embedded software, often deployed in systems without a possibility to easily - or at all - update those products which are already deployed in the field.

Hence a responsible disclosure will often need a longer timeframe or a limitation in the information in the disclosure (e.g. anonymous disclosure: disclose technicalities of the attack without disclosing the affected products). This is in order to allow NXP’s customers to migrate and mitigate the vulnerability before damage can be done to such NXP’s customer’s systems by the disclosure of the reporter.

Media

For journalists who want to contact NXP on the security of NXP products: you can do so at: http://media.nxp.com