Semtech will make a best effort to meet the following response targets for researchers participating in our program:

• First Response: 2 business days
• Time to Triage: 10 business days after first response
• Time to Resolution: Depends on severity and complexity

We will keep you informed about our progress throughout the process.

• Upon confirmation of a valid report, Semtech will work with you to agree on a reasonable embargo period prior to public disclosure. The duration will reflect the severity and complexity of the vulnerability. During this period, please keep all details of the vulnerability, including any assigned CVE ID, confidential. Semtech will notify you when the Security Bulletin has been published.
• Follow HackerOne's disclosure guidelines.

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• Rate limiting or bruteforce issues on non-authentication endpoints.
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies.
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
• Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Tabnabbing.
• Open redirect — unless an additional security impact can be demonstrated.
• Issues that require unlikely user interaction.
• Credentials discovered solely through third-party breach aggregation or monitoring sites (e.g., HaveIBeenPwned, breach databases) where the exposure occurred outside Semtech’s current infrastructure. Credentials discovered through active testing of Semtech’s current systems, applications, or services remain in scope.

You must comply with this Policy and all applicable laws in your jurisdiction in connection with your security research activities or other participation in this Program. Semtech does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this Policy or the law. If you engage in any activities that are inconsistent with this Policy or the law, you may be subject to criminal and/or civil liabilities.

To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-Semtech entity, that third party may independently determine whether to pursue legal action or remedies related to such activities.

If you conduct your security research and vulnerability disclosure activities in accordance with the restrictions and guidelines set forth in this Policy: (1) Semtech will not initiate or recommend any law enforcement or civil lawsuits related to such activities, and (2) in the event of any law enforcement or civil action brought by anyone other than Semtech, Semtech will take steps to make known that your activities were conducted pursuant to and in compliance with this Policy.

Thank you for helping keep Semtech and our customers safe!