Report a Product Security Vulnerability
To report a potential security vulnerability in a Nuvoton product, please contact the Nuvoton Product Security Incident Response Team at firstname.lastname@example.org. Due to their sensitive nature, Nuvoton strongly urges that emails regarding potential vulnerabilities are encrypted. Our PGP key can be found here.
Please be sure to include as much information about the issue as possible including
- As many details about the Nuvoton product as you can such as Part Number, Product Category (e.g., TPM, MCU, EC, BMC), Chip Revision, Firmware/Software Version
- A description of the issue with detailed steps or information on how to reproduce the problem
- Any supporting information (such as logs, crash dumps, packet captures and screenshots)
- References to known vulnerabilities with relevant CVE’s where applicable
Alternatively, you can use the form below to report a potential security vulnerability
Please allow seven business days for an initial response
Nuvoton endeavors to work with industry, government organizations, and the security community when reporting vulnerabilities. Public disclosure of vulnerabilities will generally take place only after permanent fixes are available. Security researchers who wish to publicize Nuvoton vulnerability details are asked to wait 90 days until after public disclosure of the vulnerability has taken place and to coordinate whenever possible with Nuvoton.