Report potential product security vulnerabilities

About ST PSIRT

ST's Product Security Incident Response Team (ST PSIRT) supervises the process of accepting and responding to potential security vulnerabilities involving ST hardware and software products.

ST places a high priority on security, and ST PSIRT is committed to rapidly addressing potential security vulnerabilities affecting our products. Our long history and vast experience in security allows ST to preform clear analyses and provide appropriate guidance on mitigations and solutions when applicable.

If you wish to report a potential security vulnerability regarding our products, we encourage you to report it to ST PSIRT by following the steps described on that page.

How to report a potential security vulnerability

To report a potential security vulnerability, please contact ST PSIRT at psirt@st.com.
All exchanges and reports should be provided in English.

Because of the sensitive nature of such reporting, the ST PSIRT highly encourages all submitted security vulnerability reports to be sent encrypted, using the ST PSIRT PGP/GPG Key:

  • Fingerprint: CFF4 FA07 4F1C A91C 92BA B34F BF30 B8E2 D48E A55C
  • Public Key File (ZIP, 3 KB)
Free software to read and author PGP/GPG encrypted messages may be obtained from:
IMPORTANT-READ CAREFULLY:

Recommended information to include in your report

To allow ST PSIRT processing the potential discovered security vulnerability, you should provide the following information:

  • ST product identification: part number or product reference and version (hardware or software)
  • Complete technical description of the potential vulnerability, including any related known exploits
  • How and when the potential vulnerability was discovered
  • Any public information already published or publication planning (CVE, academic paper publication, etc.)
  • Your contact information to use during the process

Insufficient information may prevent ST from evaluating the request.

Vulnerability management process

Once submitted, ST PSIRT will manage the reported vulnerability according to the following process:

  1. Reporting a new vulnerability: At this stage, ST PSIRT will acknowledge the reception of the reported issue.
  2. Evaluating: ST PSIRT will evaluate the potential vulnerability to understand if there is an issue, analyze it, and set a priority to manage valid issues. ST PSIRT may come back to the submitter in case some information is missing from the original report or if clarification is needed.
  3. Solving: ST PSIRT will investigate potential solutions and mitigations to address the issue.
  4. Communicating: Once a solution is available (fix or mitigation), ST PSIRT will communicate back to the submitter and others where appropriate.