Access Secure Information About Our Products
Sign in to access authorized secure information. Learn more about secure access rights.
The NXP Product Security Incident Response Team (PSIRT) is committed to rapidly address security vulnerabilities in NXP products by responding and documenting reported vulnerabilities and by providing customers with clear guidance on the impact, severity and mitigation.
The following cases are in scope of PSIRT:
The following cases are NOT in scope of PSIRT:
Security vulnerabilities in NXP products are actively managed through the following process. The time to respond varies based on the scope of the issue. The process consists of four major steps:
The reporter receives an acknowledgment and updates throughout the handling process.
NXP confirms the potential vulnerability, assesses the risk, determines the impact, and assigns priority.
When feasible, NXP develops mitigation strategies and fixes for the reported security vulnerability.
In most cases, NXP will communicate directly to the affected customers.
If you believe that you have discovered a potential security vulnerability in an NXP product, please contact PSIRT. NXP strives to send confirmation of reported vulnerabilities within 24 hours (weekends and holidays may extend this to 72 hours, depending on the urgency). If you do not receive a response within that time, please resend your message. Please write in English and include the following information:
Vulnerability information is extremely sensitive. The PSIRT strongly recommends that all security vulnerability reports sent to NXP be encrypted using the PSIRT PGP/GPG Key.
General support requests sent to PSIRT cannot be answered. Please refer to the support page for product support.
NXP is committed to working with the reporter of the vulnerability to establish what can be a responsible disclosure by the reporter. The ability to upgrade/patch NXP’s products in the field is totally different than for e.g. PCs. NXP’s products are chips with embedded software, often deployed in systems without a possibility to easily - or at all - update those products, which are already deployed in the field.
Hence a responsible disclosure will often need a longer timeframe or a limitation in the information in the disclosure (e.g. anonymous disclosure: disclose technicalities of the attack without disclosing the affected products). This is in order to allow NXP’s customers to migrate and mitigate the vulnerability before damage can be done to such NXP’s customer’s systems by the disclosure of the reporter.
For journalists who want to contact NXP on the security of NXP products visit our NXP Newsroom.