Product Security

Report a Bug

Qualcomm takes security very seriously and we strive to address any security-related issues quickly and appropriately. If you have found a potential security issue in any Qualcomm product or software, please contact us via email: product-security@qualcomm.com. Or use the form below. For encrypted communication, you may use our public key.

By clicking the submit button you agree that you understand and agree to the privacy policy.

If you have found a potential security issue in any Qualcomm® product or software, please contact us via email: product-security@qualcomm.com. People who submit high-quality reports are often invited to our Vulnerability Rewards Program. You may also request to be invited even without submitting a report first, if you send us some references (CVE ID, IDs with public references from other programs) that provide evidence that you already successfully submitted vulnerability reports to other programs. Please contact us via product-security@qualcomm.com to request an invitation. For encrypted communication, you may use our public key. We will do our best to respond within a maximum of 48 hours. But if you do not receive a response within this time frame, please feel free to follow up with us to ensure that we have received your original report.

Vulnerability Rewards Programs

Qualcomm Technologies, Inc. (QTI), has its vulnerability rewards program designed to expand collaboration with invited security researchers who improve the security of the Qualcomm® Snapdragon™ family of processors, 5G modems and related technologies. The program is administered in collaboration with vulnerability coordination platform HackerOne. Security researchers who submit high-quality issues may be invited to join Qualcomm’s Vulnerability Reward Program. Researchers with a proven history of submitting high-quality issues in other areas may be invited to join the Program; we encourage such individuals to reach out to us at product-security@qualcomm.com. See Report a vulnerability below.

Public Key

Please refer to the below information for encrypted communication of product security issues to product-security@qualcomm.com.

Key Details:
key fingerprint B5BD 2494 A3BD 7538 222F D60E 9A66 A04F 7659 9296
uid Qualcomm Product Security Team - 2020
product-security@qualcomm.com
2020-05-06 [expires: 2023-05-06]

FAQ

How fast will you address security vulnerabilities?

We aim to address security issues and communicate them to our stakeholders within 90 days (e.g. through security bulletins). While we strive to meet this deadline every time, the complexity and the large number of products and product lines that we support may prevent us from doing so. We will do our best to keep you updated throughout this process when appropriate.

Will I have to sign some kind of Non-Disclosure Agreement?

No.

Can I submit vulnerability information anonymously?

We respect privacy, if you wish to stay anonymous, we will not have further records of your name or identity in any further communication regarding the matter.

Report Details

The following information will help us to evaluate your submission as quickly as possible. If available, please include in your report:

  • Vulnerability type (buffer overflow, integer overflow, …)
  • Issue impact (arbitrary code execution, information disclosure, …)
  • Affected product and version
  • Instructions to reproduce the issue
  • A proof-of-concept (PoC)

Publication of Vulnerabilities

We regularly issue security bulletins to our customers in order to share security vulnerabilities and related code modifications. As an active member of Code Aurora Forum (CAF), Qualcomm Innovation Center, Inc. also shares reports of security vulnerabilities with CAF and the open source community. Such communications will oftentimes include description of issues, their severity based on our vulnerability rating guidelines and attributions to reporters of those vulnerabilities unless those reporters request otherwise.

©2020 Qualcomm Technologies, Inc. and/or its affiliated companies.

References to "Qualcomm" may mean Qualcomm Incorporated, or subsidiaries or business units within the Qualcomm corporate structure, as applicable.

Qualcomm Incorporated includes Qualcomm's licensing business, QTL, and the vast majority of its patent portfolio. Qualcomm Technologies, Inc., a wholly-owned subsidiary of Qualcomm Incorporated, operates, along with its subsidiaries, substantially all of Qualcomm's engineering, research and development functions, and substantially all of its products and services businesses. Qualcomm products referenced on this page are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Materials that are as of a specific date, including but not limited to press releases, presentations, blog posts and webcasts, may have been superseded by subsequent events or disclosures.

Nothing in these materials is an offer to sell any of the components or devices referenced herein.