Report a Product Security Vulnerability

To report a potential security vulnerability in a Nuvoton product, please contact the Nuvoton Product Security Incident Response Team at security@nuvoton.com. Due to their sensitive nature, Nuvoton strongly urges that emails regarding potential vulnerabilities are encrypted. Our PGP key can be found here.
Please be sure to include as much information about the issue as possible including 

  • As many details about the Nuvoton product as you can such as Part Number, Product Category (e.g., TPM, MCU, EC, BMC), Chip Revision, Firmware/Software Version
  • A description of the issue with detailed steps or information on how to reproduce the problem
  • Any supporting information (such as logs, crash dumps, packet captures and screenshots)
  • References to known vulnerabilities with relevant CVE’s where applicable

Alternatively, you can use the form below to report a potential security vulnerability

Basic Information

Fields marked with an asterisk (*) are required


First Name*

Last Name

Company (if applicable)

Email *

Please provide a high-level description of the problem *

Product Details

Please enter as many of the following details about the Nuvoton product as you can


Part Number

Product Category (e.g. TPM, MCU, EC, BMC)

Chip Revision

Firmware/Software Version

Please provide us with a detailed description of the issue, and if possible with detailed steps or information on how to reproduce the problem

Upload File

For any supporting information such as logs, crash dumps, packet captures and screenshots. Note: the uploader is limited to a single file. If you have multiple files to send, please compress them to a single ZIP or RAR file before sending.


Click here or drop file to upload

Supports PDF/RAR/ZIP/JPG/PNG/GIF/BMP, limit 5MB

Please allow seven business days for an initial response

Nuvoton endeavors to work with industry, government organizations, and the security community when reporting vulnerabilities. Public disclosure of vulnerabilities will generally take place only after permanent fixes are available. Security researchers who wish to publicize Nuvoton vulnerability details are asked to wait 90 days until after public disclosure of the vulnerability has taken place and to coordinate whenever possible with Nuvoton.

This website uses cookies to ensure you get the best experience on our website. Learn more