Product security vulnerabilities

Nordic Semiconductor ASA is committed to resolving vulnerabilities to meet the needs of its customers and the broader technology community. This document describes Nordic Semiconductor’s policy for receiving reports related to potential security vulnerabilities in its products and services.

Nordic Semiconductors Product Security Incident Response Team (PSIRT) responds to reported security vulnerabilities in Nordic Semiconductors Products (Hardware and Software), Documentation and Services. The PSIRT ensures that security vulnerabilities are analyzed, documented and communicated in a responsible manner.

If you have discovered a potential security vulnerability in a Nordic Semiconductor product or service, please contact the PSIRT at [email protected] using English language. After your incident report is received, the appropriate personnel will contact you to follow-up.

Please include the following information with your initial report:

The products and versions affected
Detailed description of the vulnerability including any steps needed to reproduce the vulnerability
Please note that product vulnerability information can be highly sensitive. To ensure confidentiality, we strongly encourage reporters to encrypt any sensitive information you send to us. Upon receipt of an email to [email protected] we will respond with a link that you can be used to upload sensitive information to us.

Note: The above email address is intended ONLY for the purposes of reporting product or service security vulnerabilities. It is not meant for technical support information on our products or services. All content other than that specific to security vulnerabilities in our products or services will be dropped. For technical and customer support inquiries, please visit our Developer Zone.

Nordic Semiconductor attempts to acknowledge receipt to all submitted reports within seven days.

Responsible Disclosure
The ability to upgrade/patch/fix Nordic Semiconductors products in the field varies between our products and can sometime only be done by upgrading the functionality in our silicon in the next version of the chips.

Nordic Semiconductor intends to notify the affected customers, when appropriate, about the vulnerability either through targeted communication to affected customers or through public communication (e.g in a security advisory or a bulletin)

The PSIRT handles reported security vulnerability through the following process:

Nordic Semiconductor sponsors a bug bounty program on HackerOne, a security platform powered by ethical hackers. They stress test our hardware and software to find any potential or latent security vulnerabilities so they can be fixed before a cybercriminal finds them.

For now, the Nordic Semiconductor HackerOne bug-bounty program will be run privately (invitation only) as Nordic wants to focus on building up a relationship with the community, while prioritizing report quality and report response times. Any interested hacker is invited to make contact via the HackerOne platform support team. 

More information here.