Espressif Security Incident Response Process
1. Introduction
Espressif is committed to ensuring the security of its products and software solutions. We recognize that security incidents are a constant threat, and we place a high priority on responding to and mitigating them in a timely and effective manner.
This document highlights the process for dealing with security incidents that may arise in Espressif hardware products and software solutions. This policy will be regularly reviewed and updated to ensure that it remains effective and aligned with the industry best practices.
2. Process Workflow
Process starts when an issue is discovered, for example, from third party project disclosure, researcher, or vulnerability report including Espressif Bug Bounty Program (BBP), customer report and internal discovery.
Process ends when all applicable fixes have been merged, and a public security disclosure has been published, if applicable. Public security disclosure will be published in Espressif website > Page Advisories > Category Security, which contains both hardware and software disclosures. ESP-IDF software components specific advisories are published in ESP-IDF GitHub Repo > Tab Security.
Process Workflow:
2.1. Process Workflow
There are several ways an incident may be reported, internal discovery by Espressif employees, external reported by customer, researcher or other interested parties. Reporter can submit the security vulnerability through:
- Hardware Issues Form, Software Bug Form
- Espressif Bug Bounty Program (Security issues in Espressif software solutions reported at bugbounty@espressif.com can qualify for our Bug Bounty Program)
Note: In consideration of the sensitivity of the information being shared, Espressif strongly advises that all security vulnerability reports should be submitted in an encrypted format, using the Espressif PGP/GPG key.
- Fingerprint: A855 92F9 A412 44C1 13F9 0F0F 01C3 E225 A0FE D438
- Public Key File (ZIP, 4 KB)
Please access the following free software to read and author PGP/GPG encrypted messages:
When you report potential discovered security vulnerability, please provide as much necessary information as possible to help us rightly assess the reported security vulnerability, including but not limited to:
- Clear and concise issue title, specifying the impacted Espressif products by including the product name or part number.
- Issue description, including software version, hardware revision used during testing, tools employed and other environmental factors, your expected test result and actual test result, and security impact of the issue.
- Complete steps to reproduce the issue, detailed test codes that can be run after compilation and debug logs. Additionally, include any additional information that may be relevant.
In the absence of sufficient information, the evaluation process may take longer.
2.2. Evaluate Issue
- Internally review if all necessary information is provided, assign priority, and create tracker.
- Conduct technical analysis of the issue, determine its validation and impact on Espressif products. Assess security risk and categorize the issue.
- Time estimate – 4 weeks
2.3. Corrective Actions
- Produce fix or mitigation actions if the potential vulnerability is verified.
-
Communicate the response to the report submitter and others where appropriate.
- Timeline and version(s) for any fixes. Ask the issue reporter to verify the patch (if applicable).
- Timeline estimated to publish advisory (if any).
- Analyze the need to register CVE for the issue.
- Determine eligibility and reward level for BBP (if applicable).
- Deploy the fix and mitigation actions.
- Prepare and review the security incident advisory and reserve CVE number (if applicable).
- Time estimate – 8 weeks (about 2 months) from start
2.3. Corrective Actions
On agreed disclosure date:
- Publish the public advisory document, including any findings, impacts, remediation activities or security enhancements plan for our product roadmap. Mark any CVE identifier as visible.
- Ensure the remaining fixes are rapidly deployed to the software stack e.g., ESP- IDF.
- In the case of BBP, pay a reasonable bounty.
- Notify affected Espressif customers, if necessary.
- Time estimate – 12 weeks (about 3 months) from start
Note: The time estimates specified above are typical timelines, and actual timelines may vary depending on the severity and complexity of the issue.
3. Disclosure Policy
Espressif values the contributions made by security researchers and the significant role they play in enhancing the security of our products. To ensure the effectiveness of the security incident response, we suggest that incident reporters follow the coordinated vulnerability disclosure process, which involves reporting vulnerabilities to us and allowing time for investigation and remediation before disclosing any information publicly. Additionally, we also recommend that incident reporters do not disclose any unresolved or unpublished vulnerabilities without prior authorization from Espressif.
During the coordinated vulnerability disclosure process, Espressif maintains strict confidentiality of sensitive information. Any information shared between Espressif and the incident reporter will be kept confidential and only used for the purpose of addressing the reported vulnerability.
Espressif would like to express its gratitude to everyone who contributes to keeping our products and users safe.
Disclaimer and Copyright Notice
Information in this document, including URL references, is subject to change without notice.
ALL THIRD PARTY’S INFORMATION IN THIS DOCUMENT IS PROVIDED AS IS WITH NO WARRANTIES TO ITS AUTHENTICITY AND ACCURACY.
NO WARRANTY IS PROVIDED TO THIS DOCUMENT FOR ITS MERCHANTABILITY, NON-INFRINGEMENT, FITNESS FOR ANY PARTICULAR PURPOSE, NOR DOES ANY WARRANTY OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.
All liability, including liability for infringement of any proprietary rights, relating to use of information in this document is disclaimed. No licenses express or implied, by estoppel or otherwise, to any intellectual property rights are granted herein.
The Wi-Fi Alliance Member logo is a trademark of the Wi-Fi Alliance. The Bluetooth logo is a registered trademark of Bluetooth SIG.
All trade names, trademarks and registered trademarks mentioned in this document are property of their respective owners, and are hereby acknowledged.
Copyright © 2024 Espressif Systems (Shanghai) Co., Ltd. All rights reserved.
乐鑫安全事件响应流程
1. 简介
乐鑫致力于确保产品和软件解决方案的安全性。我们认识到安全事件是一种持续存在的威胁,因此,我们高度重视及时、高效地响应安全事件并提出缓解措施。
本文档介绍了乐鑫硬件产品和软件解决方案中可能出现的安全事件的处理流程。我们会定期审阅和更新该流程,确保流程的有效性,向行业最佳实践看齐。
2. 响应流程
流程开始的标志为问题的发现,问题可能来源于第三方项目披露、研究人员、漏洞报告(包括乐鑫漏洞赏金计划,BBP)、客户报告、内部发现等。
流程结束的标志为所有相关修复措施和安全公告(如适用)的发布。安全公告发布在乐鑫官网 > 公告 > 安全类别,涉及硬件和软件方面。ESP-IDF 软件组件相关的公告发布在 ESP-IDF GitHub 仓库 > Security 页面。
处理流程:
2.1. 报告事件
安全事件可以通过多种方式报告,报告的提出者可以是乐鑫内部员工,也可以是外部客户、研究人员或其他相关方。报告人可以通过以下方式提交安全漏洞:
- 硬件问题表格和软件 BUG 表格
- 乐鑫漏洞赏金计划(通过 bugbounty@espressif.com 报告的乐鑫软件解决方案中的安全问题可能入选漏洞赏金计划)
注意:考虑到安全漏洞报告中可能存在敏感信息,乐鑫强烈建议所有报告使用乐鑫的 PGP/GPG 密钥以加密格式提交。
- 指纹:A855 92F9 A412 44C1 13F9 0F0F 01C3 E225 A0FE D438
- 公共密钥文件(ZIP, 4 KB)
请使用以下免费软件来读写 PGP/GPG 加密消息:
报告潜在的安全漏洞时,请提供尽可能多的必要信息,以便帮助我们正确地评估该漏洞。需要报告的内容包括但不限于:
- 清晰简洁的问题标题,指出受到影响的乐鑫产品,包括产品名称或型号。
- 问题描述,包括测试期间使用的软件版本、硬件版本、使用的工具和其他环境因素、期待的测试结果和实际的测试结果,以及问题可能造成的安全影响。
- 复现问题的完整步骤,详细的测试代码(编译后可运行)和调试日志,以及其他任何可能相关的信息。
如果缺乏足够的信息,评估过程可能会更长。
2.2. 评估问题
- 内部评估报告是否提供了所有的必要信息,分配优先级,确定追踪方式。
- 从技术角度分析、验证问题,确定对产品的影响。评估安全风险并对问题进行分类。
- 预估时间:4 周。
2.3. 纠正措施
- 对于验证后确实存在的漏洞,提出修复或缓解措施。
-
向报告提交者和其他相关人员传达响应措施:
- 修复措施的时间表和修复的版本。请报告者验证补丁(如适用)。
- 预计发布安全公告的时间表(如适用)。
- 分析是否需要为该问题注册 CVE。
- 确定是否符合漏洞赏金计划的要求以及奖励级别(如适用)。
- 部署修复和缓解措施。
- 准备和审阅安全事件公告并保留 CVE 编号(如适用)。
- 预估时间:从开始算起 8 周,约 2 个月
2.3. 公开披露
在约定的披露日期:
- 发布公告,包括调查结果、影响、缓解措施、以及产品路线图中的安全增强计划。公布 CVE 编号。
- 确保其他的修复措施迅速部署到软件堆栈中,如 ESP-IDF。
- 对于符合漏洞赏金计划的安全问题,支付合理的赏金。
- 如有必要,通知受到影响的乐鑫客户。
- 时间估计:从开始算起 12 周,约 3 个月
注:上述的预计时间是一般情况下的典型时间表,实际时间可能会因问题的严重性和复杂性而有所不同。
3. 披露政策
乐鑫高度重视安全研究人员的贡献和他们在增强我们产品安全方面的重要作用。为确保安全事件响应的有效性,我们建议事件报告人遵循协调漏洞披露流程,即向我们报告漏洞,并允许一定时间进行调查和修复,然后再公开披露任何信息。此外,我们还建议事件报告人在未经乐鑫事先授权的情况下不要披露任何未解决或未发布的漏洞。
在协调漏洞披露过程中,乐鑫也会严格保守机密信息。乐鑫和事件报告人之间共享的任何信息都将保密,并且仅用于处理报告的漏洞的目的。
乐鑫衷心感谢所有为保障我们产品和用户的安全做出贡献的人。
免责声明和版权公告
本文档中的信息,包括供参考的 URL 地址,如有变更,恕不另行通知。
本文档可能引用了第三方的信息,所有引用的信息均为“按现状”提供,乐鑫不对信息的准确性、真实性做任何保证。
乐鑫不对本文档的内容做任何保证,包括内容的适销性、是否适用于特定用途,也不提供任何其他乐鑫提案、规格书或样品在他处提到的任何保证。
乐鑫不对本文档是否侵犯第三方权利做任何保证,也不对使用本文档内信息导致的任何侵犯知识产权的行为负责。本文档在此未以禁止反言或其他方式授予任何知识产权许可,不管是明示许可还是暗示许可。
Wi-Fi 联盟成员标志归 Wi-Fi 联盟所有。蓝牙标志是 Bluetooth SIG 的注册商标。
文档中提到的所有商标名称、商标和注册商标均属其各自所有者的财产,特此声明。
版权归 © 2024 乐鑫信息科技(上海)股份有限公司。保留所有权利。
订阅乐鑫动态
及时获取有关 AIoT 行业创新、产品上市、市场活动、文档更新、PCN 通知、软硬件公告等最新信息。
Copyright © 2024 乐鑫信息科技(上海)股份有限公司。版权所有。