GigaDevice Product Security Incident Response Team (PSIRT)

About GigaDevice PSIRT

GigaDevice places great importance on product security. To this end, we have established a dedicated Product Security Incident Response Team (PSIRT) responsible for receiving and responding to potential security vulnerability reports related to GigaDevice semiconductor products (including hardware, software, and documentation).

How to Report Security Vulnerabilities

Contact Information

You can report security vulnerabilities to GigaDevice PSIRT through the following method:

Email: psirt@gigadevice.com

Language: Reports may be submitted in English or Chinese

Encrypted Communication

Vulnerability information is highly sensitive. GigaDevice PSIRT strongly recommends that reporters encrypt vulnerability reports using PGP/GPG keys.

PGP Public Key Information:

• fingerprint.txt

• Public Key File.7z

Tools Available for Encryption:

• Gpg4win (Windows)

• GnuPG (Cross-platform)

  
  

Recommended Information to Include in Reports

To help GigaDevice PSIRT classify and assess potential security vulnerabilities, we recommend providing the following information:

Vulnerability Details

• Detailed description of the vulnerability and date of detection

• Description of potential vulnerability exploitation

• Affected products, models, and versions (e.g., GD32 series MCU, GD25 Flash, etc.)

• Software version information (e.g., SDK, RTOS version and patch level)

• Issue description and impact (e.g., information disclosure, privilege escalation, etc.)

Reproduction Information

• Step-by-step instructions to reproduce the issue

• Proof of Concept (PoC), including: 

• Sample code or scripts

• Screenshots or video demonstrations

• Test files

• Supporting materials or references

Additional Information

• Expected correct behavior or suggested solutions

• Common Vulnerability Scoring System (CVSS) 3.1 score (if possible)

• Any published public information (CVE, academic papers) or disclosure plans

• Your contact information (for communication during the process)

  
  

Report Handling Process

After submission, GigaDevice PSIRT will manage reported potential security vulnerabilities according to the following process:

• Receipt Confirmation: GigaDevice PSIRT will promptly respond to confirm receipt of your report.

• Assessment: GigaDevice PSIRT will evaluate the potential vulnerability, conduct analysis, and set priorities. We may contact you if the original report lacks certain information or requires clarification.

• Resolution: GigaDevice PSIRT will investigate solutions and mitigation measures to address valid issues.

• Disclosure: When appropriate, GigaDevice will publish security advisories according to Coordinated Vulnerability Disclosure (CVD) principles, provide remediation and mitigation measures, and acknowledge contributors in the advisory (if you agree).

  
  

Important Notice

Authorization and Permission:

By submitting a security vulnerability report to GigaDevice, you confirm and agree that:

1. You have the right to submit the report (including on behalf of your employer and affiliated parties)

2. You grant GigaDevice the right to use the report for security vulnerability analysis, testing, remediation, patch development, security advisory publication, and other related security purposes

Confidentiality Commitment:

GigaDevice PSIRT will maintain strict confidentiality of your report content, share it only with necessary technical and management personnel, and will not disclose your identity without your consent.