At Rambus, we create cutting-edge semiconductor and IP products, spanning memory and interfaces to security, smart sensors and lighting.
Rambus has built a Product Security Incident Response Team (PSIRT), which is responsible for responding to Rambus security incidences. PSIRT manages receipt, investigation and releasing of information about security issues regarding Rambus products. PSIRT is the single point of contact between the security reporter and vendor. The Rambus PSIRT adheres to ISO/IEC 29147:2018.
In order to have a clear and consistent approach to managing security issues, Rambus has defined a procedure for managing security issues. The procedure includes the following steps:
1. Receipt and Acknowledgement
Rambus has a dedicated issue reporting channel that can be used by independent researchers, labs, hackers to report potential vulnerabilities. See section Contact for details of contacting Rambus regarding security issues. Our PSIRT team monitor the email reporting channel for new reports. After receiving a report, we will contact you within 7 calendar days acknowledging receipt.
After receiving the potential vulnerability, we will initiate a verification process to establish if the potential vulnerability is applicable or not.
If the potential vulnerability is considered not to be a vulnerability, Rambus will inform the security reporter and other relevant stakeholders.
If it is considered to be a vulnerability, Rambus will perform root cause analysis. Vulnerabilities will be prioritized and categorized. We will keep the security reporter updated throughout the process.
3. Remediation Development
In this phase, Rambus develops solutions for remediating the security vulnerability. When needed, we work with our customers to find the best solution and provide support for implementing the remediation. All remediation will be tested before release to ensure the vulnerability has been resolved and does not introduce new vulnerabilities.
4. Release of Advisory, Remediation and Credit
Customers will be notified of the issue and will receive an update or patch as soon as it is available. An advisory may be released following customer notification, the timing of which may be aligned with the security reporter. Rambus may credit the security reporter, with his/her permission, following responsible vulnerability disclosure guidelines.
If you have identified a potential security issue regarding a Rambus product, it is strongly encouraged that you contact the Rambus Product Security Incident Response Team (PSIRT), by sending an email to PSIRT@rambus.com.
Encryption Using the Rambus PGP Public Key
To ensure confidentiality, we recommend that you encrypt your findings using PGP. Download the Rambus PSIRT PGP public key and use it to encrypt details of the vulnerability and any relevant issues. Attach the encrypted file to the email and send to email@example.com.
Vulnerability information is sensitive information and is strongly encouraged that your report is encrypted.
You may obtain the software to encrypt messages from: