Qualcomm Product Security
We, Qualcomm Incorporated and its subsidiaries, understand that maintaining a large variety of products comes with certain responsibilities. Therefore, we take security vulnerabilities very seriously and always seek to respond appropriately.
Join Our Team
If you’d like to join Qualcomm Product Security team, please consider these opportunities.
Reporting Security Vulnerabilities
If you have found a potential security issue in any Qualcomm® product or software, please contact us via email: email@example.com
For encrypted communication, you may use our public key.
We will do our best to respond within a maximum of 48 hours. But if you do not receive a response within this time frame, please feel free to follow up with us to ensure that we have received your original report.
The following information will help us to evaluate your submission as quickly as possible. If available, please include in your report:
- Vulnerability type (buffer overflow, integer overflow, …)
- Issue impact (arbitrary code execution, information disclosure, …)
- Affected product and version
- Instructions to reproduce the issue
- A proof-of-concept (PoC)
Publication of Vulnerabilities
We regularly issue security bulletins to our customers in order to share security vulnerabilities and related code modifications. As an active member of Code Aurora Forum (CAF), Qualcomm Innovation Center, Inc. also shares reports of security vulnerabilities with CAF and the open source community. Such communications will oftentimes include attributions to reporters of those vulnerabilities unless those reporters request otherwise.
We currently do not release public information regarding vulnerability-related modifications to proprietary code. But communications to our customers regarding such modifications will include attributions to reporters of security vulnerabilities unless those reporters request otherwise.
Hall of Fame
The Qualcomm® Product Security Hall-of-Fame lists the researchers who have helped us improve the security of our products.
How fast will you address security vulnerabilities?
We aim to address security issues and communicate them to our stakeholders within 90 days (e.g. through security bulletins). While we strive to meet this deadline every time, the complexity and the large number of products and product lines that we support may prevent us from doing so. We will do our best to keep you updated throughout this process when appropriate.
Will I have to sign some kind of Non-Disclosure Agreement?
Can I submit vulnerability information anonymously?
We respect privacy, if you wish to stay anonymous, we will not have further records of your name or identity in any further communication regarding the matter.