Report Details
The following information will help us to evaluate your submission as quickly as possible and can be submitted directly via email:
- Product(s) and software version(s) affected
- Vulnerability overview (e.g. buffer overflow, integer overflow, etc.)
- Issue description and impact (e.g. arbitrary code execution, information disclosure, etc.)
- Instructions to how to reproduce the issue
- A proof-of-concept (PoC)
Please send the security report to: security@mediatek.com
Publication of Vulnerabilities
We regularly issue security bulletins to our customers in order to share security vulnerabilities and related code modifications. Such communications will oftentimes include attributions to reporters of those vulnerabilities unless those reporters request otherwise.
FAQ
1. How fast will you address security vulnerabilities?
We aim to address security issues and communicate them to our stakeholders within 90 days (e.g. through security bulletins). While we strive to meet this deadline every time, there maybe unforeseen factors that prevent us from doing so. We will do our best to keep you updated throughout this process when appropriate.
2. Will I have to sign some kind of Non-Disclosure Agreement?
No
3. Can I submit a security report anonymously?
Yes, if you wish to stay anonymous we respect your privacy. We only require an email to enable us to reply. We do not require a name or other personally identifiable information in a submission. We do not keep further records of your identity in any further communication regarding the matter.
4. Will you credit researchers for reporting vulnerabilities in MediaTek website / IT system?
Yes, please visit MediaTek IT Security Acknowledgements.
5. How does MediaTek rate a vulnerability?
MediaTek currently rates and evaluates the severity level of identified vulnerabilities based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1). In the specific cases where additional factors are not properly captured in the CVSS score, we reserve the right to deviate from these guidelines.
6. Can I use the encrypted channel to submit a security report?
Yes, please use our PGP Public Key to send the encrypted security report to security@mediatek.com.
7. Does my report submission qualify for a monetary reward?
MediaTek is currently running a private and invite-only bug bounty program on HackerOne. We will invite researchers to this private program if they have a record of submitting high-quality reports to "security@mediatek.com". If you have previously submitted some high-quality reports and are interested in joining this exclusive program, please directly reach out to "security@mediatek.com". The MediaTek Security Team will review your eligibility for joining this program. Please note that vulnerabilities in domain "*.mediatek.com", "www.mediatek.com" and web/server-side are out of scope in our HackerOne program. Additionally, only valid reports submitted through our bug bounty program on HackerOne are eligible for monetary rewards.
We aim to address security issues and communicate them to our stakeholders within 90 days (e.g. through security bulletins). While we strive to meet this deadline every time, there maybe unforeseen factors that prevent us from doing so. We will do our best to keep you updated throughout this process when appropriate.
2. Will I have to sign some kind of Non-Disclosure Agreement?
No
3. Can I submit a security report anonymously?
Yes, if you wish to stay anonymous we respect your privacy. We only require an email to enable us to reply. We do not require a name or other personally identifiable information in a submission. We do not keep further records of your identity in any further communication regarding the matter.
4. Will you credit researchers for reporting vulnerabilities in MediaTek website / IT system?
Yes, please visit MediaTek IT Security Acknowledgements.
5. How does MediaTek rate a vulnerability?
MediaTek currently rates and evaluates the severity level of identified vulnerabilities based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1). In the specific cases where additional factors are not properly captured in the CVSS score, we reserve the right to deviate from these guidelines.
6. Can I use the encrypted channel to submit a security report?
Yes, please use our PGP Public Key to send the encrypted security report to security@mediatek.com.
7. Does my report submission qualify for a monetary reward?
MediaTek is currently running a private and invite-only bug bounty program on HackerOne. We will invite researchers to this private program if they have a record of submitting high-quality reports to "security@mediatek.com". If you have previously submitted some high-quality reports and are interested in joining this exclusive program, please directly reach out to "security@mediatek.com". The MediaTek Security Team will review your eligibility for joining this program. Please note that vulnerabilities in domain "*.mediatek.com", "www.mediatek.com" and web/server-side are out of scope in our HackerOne program. Additionally, only valid reports submitted through our bug bounty program on HackerOne are eligible for monetary rewards.