Product Security Response

Vulnerability Disclosure Policy


Introduction

Analog Devices, Inc. (herein, “ADI”) seeks to mitigate the risk associated with security vulnerabilities that may be discovered in our products. We aim to accomplish this objective by analyzing reported and discovered vulnerabilities and providing our customers with timely information, analysis, and guidance on appropriate mitigation.

After investigating and validating a reported vulnerability, ADI will strive to create an appropriate remedy, if it believes a remedy is required. A remedy may take the form of:

  • a new product release, patch, or update,
  • corrective procedures to work around or resolve the security issue, or
  • additional guidance customers may use to provide protection against the reported issue(s) in the affected product(s).

ADI will make every effort to provide the remedy or corrective action in the minimum reasonable time in order to protect our customers and partners. ADI communicates security information and/or updates to customers through our regular support channels and www.analog.com/security.


Guidelines

We ask that all Finders:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  • Perform research only within the scope set out below.
  • Use only identified communication channels for vulnerability information reporting purposes.
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Analog Devices, Inc. until disclosure is approved by both the finder and Analog.
  • Remain communicative and cooperative as we work together through this process.

If you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursue or support any legal action related to your research related to a vulnerability (except for acts of malice)
  • Work with you to understand and resolve the issues associated with the vulnerability quickly (including an initial confirmation of your report within 2 business days of submission)
  • Analog Devices may recognize your contribution if you are the first person to report the issue and we make a product modification or configuration change based on the issue as appropriate.

Scope

  • ADI Products and Software
  • Services and Infrastructure
  • Product Documentation

Note: Specific information requested for each type of product is available below.


Out of Scope:

In the interest of the safety of our users, staff, the Internet at-large, and you as a security researcher, the following test types are excluded from scope:

  • Findings from physical testing of facilities such as office access (e.g. open doors, tailgating)
  • Findings derived primarily from social engineering (e.g. phishing, vishing)
  • Findings from applications or systems not listed in the `Scope` section
  • UI and UX bugs with no security implication
  • Spelling mistakes
  • Network level Denial of Service (DoS/DDoS) vulnerabilities
  • Findings specific to non-ADI components on ADI Evaluation boards

Analog Devices expressly prohibits inclusion of the following information in a vulnerability report:

  • Personally Identifiable Information (PII)
  • Credit card holder data
  • Classified data
  • Binaries – Please provide source code when possible

Reporting

If you believe you’ve found a security vulnerability in one of our products or platforms, please send the Finding report to us by emailing securityalert@analog.com. Please include the following details with your report:

  • Your name/handle and a link for recognition in reports if you choose
  • Your PGP Public Key so that we may continue communicating with you; and
  • Details relevant to the product as set out in the reporting templates below.

To provide assurances that security vulnerability details are not disclosed prematurely, we request that researchers encrypt emails using our PGP Public Key.

PGP Public Key and Fingerprint: 4DDE 7588 D8BD 651F A328 070D 0443 FC63 7862 4B84


Disclosure

Prior to disclosure, we will do the following when applicable:

  • Triage and Validate the finding report
  • Communicate with you the timeline for mitigation (when applicable) and disclosure (when applicable) (we may request to extend the Embargo Period)
  • Communicate with other parties in a Multi-party Coordinated Disclosure
  • Obtain Common Vulnerability Enumeration (CVE) Identifier(s) for tracking
  • Communicate the remediation strategy with you
  • As appropriate, publication of the disclosure on www.analog.com/security

Customer Rights: Warranties, Support, and Maintenance

ADI’s customers' rights with respect to warranties and support and maintenance of the applicable ADI product or service are governed solely by, and subject in all respects to, our Standard Terms and Conditions of Sale, and any other applicable agreement between ADI and each such customer.

The statements in this document don't modify or enlarge any customer rights or create any additional warranties, whether express or implied. Any information provided to ADI regarding vulnerabilities in ADI products, including all information in a product vulnerability report, shall become the sole property of ADI and may be used by ADI without any duty to account or pay consideration to the provider of such information.

Reporting Templates

Software-Based Vulnerabilities

X+
  1. Product Name - common name used for the solution
  2. Product Version Number
  3. Host Operating System - if any
  4. Host OS Version Number
  5. Expected functionality
  6. Functionality following exploit
  7. Steps to Reproduce the Vulnerability
  8. Example Source Code - if any
  9. Finder's Contact Information - best method to contact finder
  10. Other Parties Involved - if any, used for coordinated disclosure
  11. Disclosure Plan(s) - when does the Finder plan to disclose
  12. Threat/Risk/Impact Assessment - what does the Finder see as the threats, risks, and impact (high, medium, low)
  13. Configuration - what is the configuration of the system and hardware

Hardware-Based Vulnerabilities

X+
  1. Hardware Model Number as shown on the product packaging
  2. Hardware Revision Number
  3. Expected functionality
  4. Functionality following exploit
  5. Steps to Reproduce the Vulnerability
  6. Example Source Code - if any
  7. Finder's Contact Information - best method to contact finder
  8. Other Parties Involved - if any, used for coordinated disclosure
  9. Disclosure Plan(s) - when does the Finder plan to disclose
  10. Threat/Risk/Impact Assessment - what does the Finder see as the threats, risks, and impact (high, medium, low)
  11. Configuration - what is the configuration of the hardware (connections, software, debug connections, etc.)

Cloud-Based Vulnerabilities

X+
  1. Time and Date of Discovery - if known
  2. Uniform Resource Locator (URL) for Service
  3. Browser Configuration - if used
  4. Inputs Required to Reproduce the Vulnerability
  5. Steps to Reproduce the Vulnerability
  6. Example Exploit Source Code - if any
  7. Finder\'92s Contact Information - best method to contact finder
  8. Other Parties Involved - if any, used for coordinated disclosure
  9. Disclosure Plan(s) - when does the Finder plan to disclose
  10. Threat/Risk/Impact Assessment - what does the Finder see as the threats, risks, and impact (high, medium, low)
  11. System Configuration - if relevant to the vulnerability