top

Report an Issue

For general security inquiries or to report a security issue in any Semtech (formerly Sierra Wireless) product, please email security@sierrawireless.com.

Please do not include any vulnerability details in your initial email. We request the reporter keep any communication regarding the vulnerability confidential. Within 2 business days, you will receive a response using the contact information provided to arrange a secure environment for sharing information. Status updates will be provided to the submitter at least once every two weeks until an agreed-upon resolution is reached.

To help us evaluate your submission as quickly as possible we request that you include the following information, if available:

  • Vulnerability type (buffer overflow, integer overflow, …)
  • Issue impact (arbitrary code execution, information disclosure, …)
  • Affected product and version
  • Instructions to reproduce the issue
  • A proof-of-concept (PoC), if available

When we issue an advisory to disclose security vulnerabilities and related code modifications, we will identify the reporter to give credit for their discovery, unless the reporter requests otherwise.

Legal Posture

We accept reports for all of our systems and products.  We will not pursue legal action against individuals who report potential vulnerabilities to us, provided they act in good faith and in a manner consistent with responsible practices for vulnerability detection and reporting. We will generally consider your activities to be in good faith and responsible if you meet all of the following criteria:

  • You test our systems and products in a way that does not harm Semtech or our customers, or affect our customers’ use of the system or product;
  • You comply with the laws of your location and the locations where Semtech operates; and
  • You report vulnerabilities to us promptly following discovery, and do not disclose the details to anyone else before a mutually agreed-upon timeframe has expired.

Semtech may amend or modify our policies relating to vulnerability reporting at any time, without notice.

*NOTE* Semtech does not currently operate a bug bounty program and does not issue payment for submissions.