Arm's Systematic Approach to Product Security

Securing the world’s data is one of the greatest technology challenges facing the next decade of compute. Security is a vital requirement for everything Arm does, and product security is one of the key quality metrics for products delivered to partners and the wider ecosystem.

Our approach can be represented by the following areas:

Tailored Security Development Lifecycle

Arm prioritizes security measures by incorporating security processes at every stage of product creation using our tailored Security Development Lifecycle (SDL). This enables us to identify and mitigate potential risks before they reach a released product.

Dedicated Product Security Incident Response

Arm’s product security extends beyond the development phase. Our Product Security Incident Response Team (PSIRT) continually monitors our products for potential weaknesses and manages both the resolution and the responsible disclosure of vulnerabilities to our partners and the ecosystem.

Independent Product Security Assurance

Our product security assurance function drives continuous improvement of our SDL and Incident Response processes and provides independent assurance of the effectiveness of Arm's product security processes.

Pro-active Community Engagement

We actively work with partners, organizations, and universities to stay at the forefront of best practices and vulnerability research. This collaboration and knowledge sharing enhances our ability to anticipate emerging threats and implement effective security strategies.

Gary Campbell
Gary Campbell, EVP Engineering

Arm’s Product Security

“With the rising complexities in the cyber-threat landscape, it's clear that a robust approach to product security is critical to upholding the stability of the digital ecosystem. At Arm, we've taken this to heart. We've woven security into the fabric of our product development, starting with the Arm architecture through to the inception of a product's design to well after it hits the market. This is testament to how deeply we value not only the security of our own products, but also our partners and the wider ecosystem.”

Arm's Security Development Lifecycle

Embedding security into products throughout the development lifecycle is critical to reducing security risk. Arm has a diversity of products and has created customized methodologies to span design, development, and the verification of architecture, hardware, and software.


Arm ensures that engineers working on each product are trained in the customized SDL processes and provided with industry-leading tools to perform threat modeling and capture security requirements. Risk-reduction measures that cover design, verification, and documentation are applied throughout the product development lifecycle.


Product Security Development Lifecycle Infographic

Arm's Product Security Incident Response Process

Arm’s Product Security Incident Response Team (PSIRT) follows a clearly defined process for product security vulnerability handling. All potential product security vulnerabilities are managed using a four-phase approach:


  • Discover
  • Analyze
  • Resolve
  • Communicate


Arm works with researchers, partners, and technology vendors to ensure security vulnerability information is shared in a manner that minimizes the risk of exploit. Coordinated vulnerability disclosure (CVD) practices are followed to help partners and consumers respond effectively when vulnerabilities are disclosed.


Arm has a dedicated vulnerability research team that collaborates with the PSIRT to analyze and address security incidents. This team also researches new areas of security to prevent future security vulnerabilities.


Head over to the security center on Arm Developer for more information on security notices and our product security incident response process.


Product Security Incident Response Process Infographic




Need to raise an incident about an Arm product? Please contact:

Lyndon Fawcett,  Director Product Security
Lyndon Fawcett, Director Product Security

“At Arm, product security is an integral part of our culture. Our product security assurance capability provides the oversight so that security remains a priority throughout development and post-release. By adopting a data-driven approach, we continually refine our products and processes, positioning Arm at the cutting edge of security best practice”.

Security Community

Arm is a CVE Numbering Authority (CNA) for Arm-branded products and technologies and Arm-managed open-source projects. This status allows us to assign CVE IDs to newly discovered vulnerabilities within our jurisdiction, providing timely and structured information to the ecosystem.

CVE Program® Logo

Arm is a member of industry and academic communities that are advancing the state of the art in security. This includes working groups addressing hardware, software, and systems security, including within the IEEE, IETF, and MITRE. These memberships help Arm to collaborate with a global network of security experts, share knowledge, and adopt best practices to ensure our products are developed with the highest security standards, while also giving back to the wider community.

Richard Wilson, Head of Quality

Richard Wilson, Head of Quality

“At Arm, our commitment to quality and product security is integral to our product development lifecycle. Arm’s quality policy states our commitment to meeting partners’ security requirements by continually improving our products and services to meet expectations. Our ISO 9001 quality certification encompasses product security, demonstrating our relentless pursuit of excellence.”