Vulnerability Disclosure Policy

Published August 5, 2021 | Updated August 5, 2021
MediaTek is committed to designing and offering innovative products that are secure and reliable. We believe it is of utmost importance that our customers can enjoy MediaTek products with confidence that the confidentiality and integrity of their data will be maintained by including but not limited to providing timely information, guidance and remediation of vulnerabilities in our products. In order to maximize the effectiveness and efficiency of analysis, remediation and disclosure of security vulnerability related to our products, we urge security researchers to follow this Vulnerability Disclosure Policy ("VDP") when reporting the security vulnerability you have identified.


General Rules for Vulnerability Submissions

  • Vulnerabilities must be attributable to MediaTek technologies.
  • Security issue must be unknown to and communicated exclusively with MediaTek.
  • All information about the security issue discovered must remain in confidence and private during the coordinated vulnerability disclosure time frame.
  • Make a good faith effort to avoid privacy violations, disruption to production environment, and destruction or manipulation of data.
  • When multiple submissions by different researchers occur, only the first one who reports the security issue to us will be mentioned on our Product Security Acknowledgements.
  • Additional restrictions on vulnerability submissions may apply subject to applicable law.
  • Notwithstanding anything provided hereunder, we reserve the right to determine the eligibility of a submission at our sole discretion.


What You Can Expect From Us

  • We aim to respond within a maximum of 3 to 5 business days upon receiving the initial report. If you do not hear back from us after a week you submitted the initial report, please send it to us again.
  • We will make best effort to address the security vulnerabilities by including but not limited to releasing patches to our OEM partners within 90 days and communicate with the stakeholders as needed.
  • CVE number will be granted for resolved security issues in certain MediaTek products, excluding issues identified in third-party components not under MediaTek’s control. While we currently do not provide monetary rewards, we do offer Product Security Acknowledgements when an externally reported vulnerabilities where the severity is either Medium, High or Critical is addressed to us under this VDP.


Reporting A Potential Security Vulnerability


Vulnerability Severity

  • MediaTek currently rates and evaluates the severity level of identified vulnerabilities based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1). In the specific cases where additional factors are not properly captured in the CVSS score, we reserve the right to deviate from these guidelines.


Disclaimer

  • We reserve the right to change or update this VDP and the vulnerability disclosure processes in association with the VDP without notice at any time. Please also refer to Legal Notice and Privacy Policy for other legal points.