About ST PSIRT

ST's Product Security Incident Response Team (ST PSIRT) supervises the process of accepting and responding to reports of potential security vulnerabilities involving ST hardware and software products.

ST places a high priority on security, and ST PSIRT is committed to rapidly addressing potential security vulnerabilities affecting our products. Our long history and vast experience in security allows ST to perform clear analyses and provide appropriate guidance on mitigations and solutions when applicable.

If you wish to report a potential security vulnerability regarding our products, we encourage you to report it to ST PSIRT by following the steps described on this page.

How to report a potential security vulnerability

To report a potential security vulnerability, please contact ST PSIRT at psirt@st.com. 

All exchanges and reports must be provided in English.

Because of the sensitive nature of such reporting, ST PSIRT highly encourages all potential security vulnerability reports to be sent encrypted, using the ST PSIRT PGP/GPG Key:

• Fingerprint: F2B8 13E0 6AD0 CBD0 81B9 FA94 0FEE E399 08AE 602C
• Public Key File (ZIP, 3 KB)

Free software to read and author PGP/GPG encrypted messages may be obtained from:

• Gpg4win
• GnuPG

IMPORTANT-READ CAREFULLY:

STMicroelectronics N.V., on behalf of itself, its affiliates and subsidiaries, (collectively “ST”) takes all potential security vulnerability reports or other related communications (“Report(s)”) seriously. In order to review Your Report (the terms “You” and “Yours” include your employer, and all affiliates, subsidiaries and related persons or entities) and take actions as deemed appropriate, ST requires that we have the rights and Your permission to do so.

As such, by submitting Your Report to ST, You agree that You have the right to do so, and You grant to ST the rights to use the Report for purposes related to security vulnerability analysis, testing, correction, patching, reporting and any other related purpose or function.

Recommended information to include in your report

To allow ST PSIRT to process the reported potential security vulnerability, you should provide the following information:

• ST product identification: part number or product reference and version (hardware or software)
• Complete technical description of the potential vulnerability, including any related known exploits
• How and when the potential vulnerability was discovered
• Any public information already published or planned to be published (CVE, academic paper publication, etc.)
• Your contact information to use during the process

Insufficient information may prevent ST from evaluating the request.

Potential vulnerability management process

Once submitted, ST PSIRT will manage the reported potential security vulnerability according to the following process:

1. Reporting a new vulnerability: At this stage, ST PSIRT will acknowledge receipt of the reported issue.
2. Evaluating: ST PSIRT will evaluate the potential vulnerability to understand if there is an issue, analyze it, and set a priority to manage valid issues. ST PSIRT may come back to the submitter in case some information is missing from the original report or if clarification is needed.
3. Solving: ST PSIRT will investigate potential solutions and mitigations to address valid issues.
4. Communicating: Once a solution is available (fix or mitigation), ST PSIRT will communicate back to the submitter and others where appropriate.