Report a product security issue

Policy Statement

Micron performs responsible and coordinated vulnerability disclosure for products.  To minimize risks to customers that may be posed by vulnerabilities, Micron does not publicly disclose reported potential vulnerabilities until we have conducted an analysis of the affected product, validated the vulnerability, and issued a remedy or other mitigating action.  

Expectations

When working with Micron pursuant to this policy, we ask that you:  

• Report a potential vulnerability to us as soon as possible.
• Use the reporting channels that are described in this policy and on our website to report an issue to us. 
• Provide Micron at least 90 days to investigate, validate, and remedy the reported issue before you disclose the reported issue publicly. 

 In return, those that provide a report to Micron can expect us to:  

• Send an email to you acknowledging receipt of your report within 2 business days; we will also work with you to understand your report.
• Strive to keep you informed of investigation, validation, and remediation activities.
• Work to remedy confirmed vulnerabilities.  The amount of time needed to resolve an issue may vary depending on whether software or hardware are potentially affected.  
• Protect customer-specific data from disclosure throughout the process performed pursuant to this policy. 

Please note that Micron does not currently offer or participate in standing bug bounty programs.  We do not honor requests for bounty payments but may provide credit to a reporting source.  

Disclaimer

Notwithstanding the foregoing, Micron does not guarantee a specific resolution for issues that are reported to us and not all issues identified may be addressed.   

Additionally, Micron reserves the right to: (1) bring timeframes noted in this policy forwards or backwards; (2) perform processes different from those described in this policy if necessary; (3) deviate from application of CVSS model if additional factors warrant use of other scoring systems; and (4) change or update this policy without notice at any time.   

Information that is disclosed pursuant to this policy is believed to be accurate and reliable at the time it is furnished.  Micron assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. 

Micron customers’ rights with respect to warranties and maintenance in any Micron product are governed by the Terms and Conditions of Sale, Legal Terms and Warranty, or Warranty statements for each product.  This policy does not modify or expand any customer rights or create any additional warranties.