Vulnerability Disclosure Policy

Introduction

Analog Devices, Inc. (herein, “ADI”) seeks to mitigate the risk associated with security vulnerabilities that may be discovered in our products. We aim to accomplish this objective by analyzing reported and discovered vulnerabilities and providing our customers with timely information, analysis, and guidance on appropriate mitigation.

After investigating and validating a reported vulnerability, ADI will strive to create an appropriate remedy, if it believes a remedy is required. A remedy may take the form of:

• a new product release, patch, or update,
• corrective procedures to work around or resolve the security issue, or
• additional guidance customers may use to provide protection against the reported issue(s) in the affected product(s).

ADI will make every effort to provide the remedy or corrective action in the minimum reasonable time in order to protect our customers and partners. ADI communicates security information and/or updates to customers through our regular support channels and www.analog.com/security.

Guidelines

We ask that all Finders:

• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
• Perform research only within the scope set out below.
• Use only identified communication channels for vulnerability information reporting purposes.
• Keep information about any vulnerabilities you’ve discovered confidential between yourself and Analog Devices, Inc. until disclosure is approved by both the finder and Analog.
• Remain communicative and cooperative as we work together through this process.

If you follow these guidelines when reporting an issue to us, we commit to:

• Work with you to understand and resolve the issues associated with the vulnerability quickly (including an initial confirmation of your report within 2 business days of submission)
• Analog Devices may recognize your contribution if you are the first person to report the issue and we make a product modification or configuration change based on the issue as appropriate.

Scope

• ADI Products and Software
• Services and Infrastructure
• Product Documentation

Note: Specific information requested for each type of product is available below.

Out of Scope:

In the interest of the safety of our users, staff, the Internet at-large, and you as a security researcher, the following test types are excluded from scope:

• Findings from physical testing of facilities such as office access (e.g. open doors, tailgating)
• Findings derived primarily from social engineering (e.g. phishing, vishing)
• Findings from applications or systems not listed in the `Scope` section
• UI and UX bugs with no security implication
• Spelling mistakes
• Network level Denial of Service (DoS/DDoS) vulnerabilities
• Findings specific to non-ADI components on ADI Evaluation boards

Analog Devices expressly prohibits inclusion of the following information in a vulnerability report:

• Personally Identifiable Information (PII)
• Credit card holder data
• Classified data
• Binaries – Please provide source code when possible

Reporting

If you believe you’ve found a security vulnerability in one of our products or platforms, please send the Finding report to us by emailing securityalert@analog.com. Please include the following details with your report:

• Your name/handle and a link for recognition in reports if you choose
• Your PGP Public Key so that we may continue communicating with you; and
• Details relevant to the product as set out in the reporting templates below.

To provide assurances that security vulnerability details are not disclosed prematurely, we request that researchers encrypt emails using our PGP Public Key.

PGP Public Key Fingerprint: 819E 026D 27B6 AAC2 2B05 C688 F49C BAEE DB0C FBEA
Our public key can be found at https://keys.openpgp.org

Disclosure

Prior to disclosure, we will do the following when applicable:

• Triage and Validate the finding report
• Communicate with you the timeline for mitigation (when applicable) and disclosure (when applicable) (we may request to extend the Embargo Period)
• Communicate with other parties in a Multi-party Coordinated Disclosure
• Obtain Common Vulnerability Enumeration (CVE) Identifier(s) for tracking
• Communicate the remediation strategy with you
• As appropriate, publication of the disclosure on www.analog.com/security

Customer Rights: Warranties, Support, and Maintenance

ADI’s customers' rights with respect to warranties and support and maintenance of the applicable ADI product or service are governed solely by, and subject in all respects to, our Standard Terms and Conditions of Sale, and any other applicable agreement between ADI and each such customer.

The statements in this document don't modify or enlarge any customer rights or create any additional warranties, whether express or implied. Any information provided to ADI regarding vulnerabilities in ADI products, including all information in a product vulnerability report, shall become the sole property of ADI and may be used by ADI without any duty to account or pay consideration to the provider of such information.