Product Security Vulnerability

NXP is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity, and mitigation.

Vulnerability Handling

The NXP Product Security Incident Response Team (PSIRT) responds to reported security vulnerabilities in NXP products. Working with members of the security community and customers, the PSIRT works to best ensure that security vulnerabilities affecting NXP products are documented and solutions are released in a responsible fashion.

Scope of Security Incidents Handled by PSIRT

The following cases are in scope of PSIRT:

  • Security incidents in NXP products (hardware or software).
  • Flaws in NXP documents regarding security information or recommendations (e.g. datasheets and application notes).
  • Security sensitive NXP documents or security relevant information regarding NXP found in places where they should not be.
  • Security sensitive NXP products, which are found in places where they should not be.

Vulnerability Handling Process

Security vulnerabilities in NXP products are actively managed through the following process. The time to respond varies based on the scope of the issue. The process consists of four major steps:

Reporting: The process begins when the PSIRT becomes aware of a potential security vulnerability in an NXP product. The reporter receives an acknowledgment and updates throughout the handling process.

Evaluation: The PSIRT confirms the potential vulnerability, assesses the risk, determines the impact, and assigns a processing priority. If the vulnerability is confirmed, the priority determines how the issue is handled throughout the remaining steps in the process.

Solution: Working with PSIRT, the product team develops a solution that mitigates the reported security vulnerability. Solutions will take different forms based on the vulnerability. Because of the nature of NXP products – mostly silicon products where the firmware is in ROM -, very often the solution can only be provided in a next version of the chips and the short-term solution will consist of recommending security measures to be applied in systems using the NXP product.

Communication: As said above, because of the nature of the NXP products, the solution to systems using the affected products often needs to be found in additional countermeasures in those systems. The communication on the vulnerability and solutions will in most cases be done directly toward the affected customers. For previously unknown or unreported issues, NXP will acknowledge the reporter of the issues (unless the reporter requests otherwise).

Media

For journalists who want to contact NXP on the security of NXP products visit our Media Center .