Reporting a potential security vulnerability

Procedure overview

In order to have a clear and consistent approach to managing security issues, Rambus has defined a procedure for managing security issues. The procedure includes the following steps:

1. Receipt and Acknowledgement
Rambus has a dedicated issue reporting channel that can be used by independent researchers, labs, hackers to report potential vulnerabilities. See section Contact for details of contacting Rambus regarding security issues. Our PSIRT team monitor the email reporting channel for new reports. After receiving a report, we will contact you within 7 calendar days acknowledging receipt.

2. Verification
After receiving the potential vulnerability, we will initiate a verification process to establish if the potential vulnerability is applicable or not.

If the potential vulnerability is considered not to be a vulnerability, Rambus will inform the security reporter and other relevant stakeholders.

If it is considered to be a vulnerability, Rambus will perform root cause analysis. Vulnerabilities will be prioritized and categorized. We will keep the security reporter updated throughout the process.

3. Remediation Development
In this phase, Rambus develops solutions for remediating the security vulnerability. When needed, we work with our customers to find the best solution and provide support for implementing the remediation. All remediation will be tested before release to ensure the vulnerability has been resolved and does not introduce new vulnerabilities.

4. Release of Advisory, Remediation and Credit
Customers will be notified of the issue and will receive an update or patch as soon as it is available. An advisory may be released following customer notification, the timing of which may be aligned with the security reporter. Rambus may credit the security reporter, with his/her permission, following responsible vulnerability disclosure guidelines.