Ensuring Quality and Timely Mitigation

Product security at onsemi is coherent with our commitment to quality & customer-focused approach. We strive to address security incidents systematically and promptly communicate vulnerabilities and mitigation.

Reporting

A weakness is a defect or characteristic that can lead to undesirable behavior. A security vulnerability is a weakness in an onsemi product that can be exploited or triggered by a threat source. If you have discovered a potential security vulnerability in an onsemi product or service, please get in touch with the Product Security Incident Response Team (PSIRT) at [email protected] using the English language. After your incident report is received, the appropriate personnel will contact you to follow up.

Please include the following information with your initial report:

  • The products (part number or product reference) and versions affected
  • Brief description of the vulnerability (do not include sensitive information)
  • Information about known exploits
  • Your full name, organization, email address and phone number*(Note2)

We acknowledge that product vulnerability information can be highly sensitive. Therefore, upon receipt of an email to [email protected], we will respond with a method to upload sensitive information to us.

Note 1: PSIRT only handles product or service security vulnerabilities. It is not meant for technical support or general queries or information on our products or services. All content other than security vulnerabilities in our products or services will not be analyzed further by PSIRT. For technical and customer support inquiries, please visit our Support page.

Note 2: Information collected will only be used to manage the vulnerability report. Refer to onsemi privacy policy page.

Vulnerability Management Process

On receipt of a potential vulnerability email, we follow the vulnerability management process:

  • Acknowledgementonsemi attempts to acknowledge receipt of submitted reports within 48 hours.
  • Evaluation: The reported vulnerability will be evaluated to understand if there is an issue, analyzed and set a priority to manage valid issues. At this stage, we may come back to the reporter for any missing information or if further clarification needed.
  • Solution: At this stage, we investigate potential solutions and mitigations to address the issue.
  • Communication: Once a solution is available (fix or mitigation), onsemi will communicate back to the reporter and discuss responsible disclosure measures.

Responsible Disclosure

onsemi intends to notify the affected customers, when appropriate, about the vulnerability either through targeted notifications to affected customers or through public communication.