Vulnerability Disclosure Policy
1. Introduction
Synaptics is committed to the safety and security of our products. If a vulnerability is discovered, we work together with our OEM partners to resolve it and publish updates. This document describes the process to submit reports to Synaptics regarding potential security vulnerabilities in our products, and our practices for informing customers and other affected entities of verified vulnerabilities.
2. Contacting Synaptics about a potential vulnerability
Contact the Synaptics Product Security Incident Response Team (PSIRT) by sending an email to PSIRT@synaptics.com if you have identified a potential security vulnerability in one of our products. Your report will be reviewed, and appropriate personnel will contact you to follow up if required. We will strive to acknowledge receipt of your report within 2 business days and to provide a preliminary response within 7 business days.
Please do not include any data in your report that could violate the privacy of any user without first obtaining informed consent from such user and making arrangements to properly encrypt and safeguard that information before submitting it to Synaptics. Synaptics disclaims any liability for such personal information submitted to Synaptics without Synaptics’ request or consent.
PSIRT@synaptics.com is ONLY intended for reports of potential security vulnerabilities specific to Synaptics’ products. No commercial solicitation or technical support requests will be accepted at this address.
3. Security Advisories
If there are security advisories related to our products, such advisories will be posted on our website, www.synaptics.com, in the Related Assets table of the applicable product page under the Products heading or applications page under the Applications heading. For example: https://www.synaptics.com/products/touchpad-family.
Generally, we will issue an advisory when practical workaround or fix has been issued in coordination with our OEM customers for a particular vulnerability.
In cases where a third party, such as a security researcher, notifies us of a potential vulnerability, we will investigate and may publish a coordinated disclosure along with such third party. If we receive a report under a confidentiality agreement, we will still work with our OEMs to release a security fix but may only be able to provide limited information about the vulnerability.
Synaptics strives to address vulnerabilities and other issues within the industry-standard time of 90 days after such vulnerabilities or issues are reported. We may request additional time to address an issue when appropriate, usually in cases where many OEMs or third parties are impacted and a coordinated response is required.
4. Severity and Impact
Synaptics follows industry-standard practices in measuring and reporting vulnerabilities’ potential impact, following the current version of the Common Vulnerability Scoring System (CVSS). Details about the CVSS system can be found here.
Our advisories typically document a list of known Synaptics products affected by the vulnerability, as well as the appropriate path for obtaining a fix or workaround. In most cases, this will be through our OEM partners or an ecosystem update mechanism such as Windows Update.
When possible, we will list all affected versions of the product. However, it is possible that different versions of our products have been shipped by our OEM partners, which may result in Synaptics being unaware of the complete list of versions that were shipped to the public. Therefore, our advisories may refer to “versions released prior to <date>”, or “versions released between <date> and <date>”. If further details are needed, they may be requested by contacting PSIRT@synaptics.com.
5. Acknowledgement
When applicable, and with permission, Synaptics will acknowledge the researcher or finder of the vulnerability and thank them for their efforts in improving our products.