Report Details
To ensure an efficient assessment process and filter out automated or unverified reports, all submissions must be actionable and thoroughly documented. Please submit the following required information directly via email:
- Affected product(s) and specific software version(s).
- Vulnerability overview (e.g., buffer overflow, integer overflow).
- Detailed issue description and actual impact.
- A root cause analysis describing why the vulnerability occurs.
- A functional Proof-of-Concept (PoC) demonstrating vulnerability reachability.
- Step-by-step instructions to reproduce the issue.
- Concrete evidence of successful reproduction, such as screenshots, video recordings, or crash logs.
Note: Reports lacking a functional PoC or concrete evidence may not be processed.
Please send the security report to: security@mediatek.com
Publication of Vulnerabilities
We regularly issue security bulletins to our customers in order to share security vulnerabilities and related code modifications. Such communications will oftentimes include attributions to reporters of those vulnerabilities unless those reporters request otherwise.
FAQ
1. How fast will you address security vulnerabilities?
We aim to address security issues and communicate them to our stakeholders within 90 days (e.g. through security bulletins). While we strive to meet this deadline every time, there maybe unforeseen factors that prevent us from doing so. We will do our best to keep you updated throughout this process when appropriate.
2. Will I have to sign some kind of Non-Disclosure Agreement?
No
3. Can I submit a security report anonymously?
Yes, if you wish to stay anonymous we respect your privacy. We only require an email to enable us to reply. We do not require a name or other personally identifiable information in a submission. We do not keep further records of your identity in any further communication regarding the matter.
4. Will you credit researchers for reporting vulnerabilities in MediaTek website / IT system?
Yes, please visit MediaTek IT Security Acknowledgements.
5. How does MediaTek rate a vulnerability?
MediaTek currently rates and evaluates the severity level of identified vulnerabilities based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1). In the specific cases where additional factors are not properly captured in the CVSS score, we reserve the right to deviate from these guidelines.
6. Can I use the encrypted channel to submit a security report?
Yes, please use our PGP Public Key to send the encrypted security report to security@mediatek.com.
7. Does my report submission qualify for a monetary reward?
MediaTek is currently running a private and invite-only bug bounty program on HackerOne. We will invite researchers to this private program if they have a record of submitting high-quality reports to "security@mediatek.com". If you have previously submitted some high-quality reports and are interested in joining this exclusive program, please directly reach out to "security@mediatek.com". The MediaTek Security Team will review your eligibility for joining this program. Please note that vulnerabilities in domain "*.mediatek.com", "www.mediatek.com" and web/server-side are out of scope in our HackerOne program. Additionally, only valid reports submitted through our bug bounty program on HackerOne are eligible for monetary rewards.
We aim to address security issues and communicate them to our stakeholders within 90 days (e.g. through security bulletins). While we strive to meet this deadline every time, there maybe unforeseen factors that prevent us from doing so. We will do our best to keep you updated throughout this process when appropriate.
2. Will I have to sign some kind of Non-Disclosure Agreement?
No
3. Can I submit a security report anonymously?
Yes, if you wish to stay anonymous we respect your privacy. We only require an email to enable us to reply. We do not require a name or other personally identifiable information in a submission. We do not keep further records of your identity in any further communication regarding the matter.
4. Will you credit researchers for reporting vulnerabilities in MediaTek website / IT system?
Yes, please visit MediaTek IT Security Acknowledgements.
5. How does MediaTek rate a vulnerability?
MediaTek currently rates and evaluates the severity level of identified vulnerabilities based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1). In the specific cases where additional factors are not properly captured in the CVSS score, we reserve the right to deviate from these guidelines.
6. Can I use the encrypted channel to submit a security report?
Yes, please use our PGP Public Key to send the encrypted security report to security@mediatek.com.
7. Does my report submission qualify for a monetary reward?
MediaTek is currently running a private and invite-only bug bounty program on HackerOne. We will invite researchers to this private program if they have a record of submitting high-quality reports to "security@mediatek.com". If you have previously submitted some high-quality reports and are interested in joining this exclusive program, please directly reach out to "security@mediatek.com". The MediaTek Security Team will review your eligibility for joining this program. Please note that vulnerabilities in domain "*.mediatek.com", "www.mediatek.com" and web/server-side are out of scope in our HackerOne program. Additionally, only valid reports submitted through our bug bounty program on HackerOne are eligible for monetary rewards.