Reporting a Vulnerability
SiFive is committed to delivering secure and reliable RISC-V based products. Our Product Security Incident Response Team (PSIRT) plays a vital role in this commitment by coordinating the response to security vulnerabilities.
The SiFive PSIRT process is a structured methodology for analyzing and handling cybersecurity incidents. PSIRT process allows for the effective identification, acknowledgement, investigation, remediation and disclosure of cybersecurity vulnerabilities in a timely manner to preserve cybersecurity post-production.
Coordinated Vulnerability Disclosure
SiFive follows Coordinated Vulnerability Disclosure (CVD) as outlined in ISO/IEC 29147 and adheres to the vulnerability handling processes defined in ISO/IEC 30111.
SiFive adheres to the definition from the CERT document as being:
“Vulnerability disclosure is a process through which vendors and vulnerability finders may work cooperatively in finding solutions that reduce the risks associated with a vulnerability. It encompasses actions such as reporting, coordinating, and publishing information about a vulnerability and its resolution. The goals of vulnerability disclosure include the following:
a) ensuring that identified vulnerabilities are addressed;
b) minimizing the risk from vulnerabilities;
c) providing users with sufficient information to evaluate risks from vulnerabilities to their systems”.
CVD is a process intended to ensure that vulnerability handling occurs in a way that our customers and their users are protected. It is a process by which reporters who discover a vulnerability in one of SiFive products contact and allow SiFive to analyze and remediate the vulnerability before the reporter discloses the vulnerability to the public.
We work closely with reporters to understand and validate vulnerabilities, and we strive to coordinate disclosure in a way that minimizes risk to our customers.
SiFive PSIRT coordinates with the reporter and updates the reporter about progress when appropriate. SiFive PSIRT may recognize the reporter on our Acknowledgement page for finding a valid product vulnerability and privately reporting the issue.
SiFive communicates the appropriate vulnerability information to our customers and to the public (if relevant) in a phased timeline. This gives time to analyze, test, and implement mitigation before coordinated public disclosure, if any.
SiFive may share the reporter name and contact information with customers, except if explicitly stated.
Reporting a Vulnerability
SiFive encourages and welcomes security researchers, customers, and partners, (the “Reporter”), to report potential security vulnerabilities in our products to the PSIRT. To report a vulnerability, please email psirt@sifive.com.
If confidentiality is required, the Reporter can use:
Our SiFive PSIRT PGP Public key
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZ46BihYJKwYBBAHaRw8BAQdAVaeYmmereg3MU3CAuxKdO+oRWcHBgvdNhU9/
j6oDKpi0H1NpRml2ZSBQU0lSVCA8cHNpcnRAc2lmaXZlLmNvbT6ImQQTFgoAQRYh
BHYZnS2EkggG5vKcuZPq25kJbudEBQJnjoGKAhsDBQkFo5qABQsJCAcCAiICBhUK
CQgLAgQWAgMBAh4HAheAAAoJEJPq25kJbudEMzgA/2RdpV9Badht0QM41bQCY0Sz
Gp2QiebDJdeUY//h0uLdAP0X/OcvmBkZE6ZZg4hPUaCBc0D2NhoWPC5DwvvJ4FaO
CLg4BGeOgYoSCisGAQQBl1UBBQEBB0BVA5V+haevVI/f8lmRnIxYzu75JAQYMwjV
qVcI+YBRLwMBCAeIfgQYFgoAJhYhBHYZnS2EkggG5vKcuZPq25kJbudEBQJnjoGK
AhsMBQkFo5qAAAoJEJPq25kJbudE7O0A/0dooRNN5mD9b575mzSqbzQs7Lf8n4m2
sRfNEi4gdmSoAPwMpkw2afn6bAtAgfSBhxSBrXZYs50VqQ6zccf/uP5bCQ==
=ghJ4
-----END PGP PUBLIC KEY BLOCK-----
- Encrypted zip files, with password shared by any applicable means
Note: The Reporter is free to share his own PGP public key if needed.
Please use English language and include the following information in your report:
- Product and version: Specify the affected SiFive product and its version number, if known
- Vulnerability details: Provide a detailed description of the vulnerability, how it was found, including steps and tools to reproduce it and a Proof-Of-Concept.
- Impact assessment: Describe the potential impact of the vulnerability if exploited, and ideally, any proposal for remediation
- Contact information: Provide your name, your organization and contact information so we can communicate with you.
- Time constraints: Give any important date, e.g., date of publication or presentation
Include the following information with your vulnerability report:
Vulnerability
- Product(s) containing the vulnerability:
- Vulnerability Description:
- How may an attacker exploit this vulnerability? (Proof of Concept):
- What is the impact of exploiting this vulnerability? (What does an attacker gain that the attacker didn’t have before?)
- How did you find the vulnerability? (Be specific about tools and versions you used.)
- When did you find the vulnerability?
Disclosure Plans, if any
- Have you already reported this vulnerability? YES/NO, if yes, to which vendors and organizations:
- Is this vulnerability being publicly discussed? YES/NO, if yes, then provide URL.
- Is there evidence that this vulnerability is being actively exploited? YES/NO if yes, then provide URL/evidence.
- Do you plan to publicly disclose this vulnerability? YES/NO
- If YES
- at this event:
- on this date: (Please include your time zone)
- at this URL:
Reporter
- Name:
- Organization:
- Email:
- PGP Public Key (if any):
- Telephone (optional):
- May we provide your contact information to third parties, e.g., customers ? YES/NO
- Do you want to be publicly acknowledged in a disclosure? YES/NO
- Additional Comments:
Vulnerability Remediation
SiFive is committed to addressing validated vulnerabilities in a timely and effective manner. We prioritize vulnerabilities based on their severity and potential impact.
Remediation efforts may include:
- Issuing a new release for the impacted product(s)
- Developing and releasing patches: Providing software updates to remedy or contain the vulnerability.
- Providing workarounds: Offering temporary solutions to mitigate the vulnerability until a patch becomes available.
- Publishing security advisories: Informing customers about vulnerabilities and providing guidance on mitigation strategies.
Acknowledgement
SiFive does not have a bounty program. We are amenable to acknowledging the Reporter in our Security Bulletin or on the PSIRT website (see <psirt-acknowledge-webpage>).
Media / PR requests related to SiFive security vulnerability information
Please contact us using this link
Disclaimer
SiFive’s PSIRT policy is subject to change without notice. SiFive’s response to any
communication from a Reporter is not required or guaranteed for any issue or inquiry. SiFive
reserves the right in its sole discretion to change or update this webpage without notice.