To report a potential security vulnerability in a Nuvoton product, please contact the Nuvoton Product Security Incident Response Team at security@nuvoton.com. Due to their sensitive nature, Nuvoton strongly urges that emails regarding potential vulnerabilities are encrypted. Our PGP key can be found here.
Please be sure to include as much information about the issue as possible including 

• As many details about the Nuvoton product as you can such as Part Number, Product Category (e.g., TPM, MCU, EC, BMC), Chip Revision, Firmware/Software Version
• A description of the issue with detailed steps or information on how to reproduce the problem
• Any supporting information (such as logs, crash dumps, packet captures and screenshots)
• References to known vulnerabilities with relevant CVE’s where applicable

Alternatively, you can use the form below to report a potential security vulnerability

If you have other questions or are experiencing an issue related to the website (including website related security issues), please use this Contact us form to get in touch with our support team, as the current page is only for Product related security issues.

Nuvoton endeavors to work with industry, government organizations, and the security community when reporting vulnerabilities. Public disclosure of vulnerabilities will generally take place only after permanent fixes are available. Security researchers who wish to publicize Nuvoton vulnerability details are asked to wait 90 days until after public disclosure of the vulnerability has taken place and to coordinate whenever possible with Nuvoton.