NXP is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity, and mitigation.
The NXP Product Security Incident Response Team (PSIRT) responds to reported security vulnerabilities in NXP products. Working with members of the security community and customers, the PSIRT works to best ensure that security vulnerabilities affecting NXP products are documented and solutions are released in a responsible fashion.
The following cases are in scope of PSIRT:
Security vulnerabilities in NXP products are actively managed through the following process. The time to respond varies based on the scope of the issue. The process consists of four major steps:
Reporting: The process begins when the PSIRT becomes aware of a potential security vulnerability in an NXP product. The reporter receives an acknowledgment and updates throughout the handling process.
Evaluation: The PSIRT confirms the potential vulnerability, assesses the risk, determines the impact, and assigns a processing priority. If the vulnerability is confirmed, the priority determines how the issue is handled throughout the remaining steps in the process.
Solution: Working with PSIRT, the product team develops a solution that mitigates the reported security vulnerability. Solutions will take different forms based on the vulnerability. Because of the nature of NXP products – mostly silicon products where the firmware is in ROM -, very often the solution can only be provided in a next version of the chips and the short-term solution will consist of recommending security measures to be applied in systems using the NXP product.
Communication: As said above, because of the nature of the NXP products, the solution to systems using the affected products often needs to be found in additional countermeasures in those systems. The communication on the vulnerability and solutions will in most cases be done directly toward the affected customers. For previously unknown or unreported issues, NXP will acknowledge the reporter of the issues (unless the reporter requests otherwise).
For journalists who want to contact NXP on the security of NXP products visit our Media Center .