OVERVIEW

Product Security Incident Response at Arm

Security doesn’t end at design. Vulnerabilities can emerge at any point, and for security leads, the risk is clear: downtime, data loss, and regulatory exposure. Arm’s Product Security Incident Response Team (PSIRT) provides a trusted, structured way to manage that risk across billions of deployed devices.


Arm’s PSIRT operates to detect, analyze, and manage vulnerabilities in Arm technology. By ensuring responsible, timely, coordinated disclosure, Arm’s PSIRT gives security leads confidence that threats are identified early, handled consistently, and communicated transparently. This means fewer surprises, faster mitigation, and stronger assurance for customers, partners, and regulators.


What this means for you:


  • Confidence that vulnerabilities are identified quickly and handled consistently, with Arm continuously monitoring reports across its products and ecosystem.
  • Reduced risk exposure through coordinated partner response, with vulnerability information shared responsibly before public disclosure.
  • Clear, transparent updates you can share with internal stakeholders and regulators, backed by Arm’s role as a CVE Numbering Authority (CNA) for transparent cataloguing.
  • Assurance that security is integrated into the entire lifecycle, with Arm’s PSIRT working part of Arm’s broader Security Development Lifecycle for continuous protection.
PSIRT PROCESS

Arm’s Four-Phase PSIRT Process

Arm ’s process is designed not just to resolve issues, but to give security leads confidence at every stage.


  1. Discover:Potential security weaknesses are identified through internal research, partner reports, and community submissions. Arm’s PSIRT will acknowledge the receipt of vulnerability reports within two business days and provide a unique identifier for each submission.

  2. Analyze:The scope, severity, and potential impact on customers to partners and the ecosystem are assessed. Arm’s PSIRT works with any external reporters to ensure the ecosystem has time to deploy mitigations.

  3. Resolve:Arm’s PSIRT coordinates with internal teams and external partners to develop, test, and validate patches or mitigations for confirmed vulnerabilities.

  4. Communicate:Arm’s PSIRT is committed to routine and responsible communication of guidance to partners ahead of, and after, public disclosure to ensure mitigations can be deployed into the ecosystem.

At public disclosure, security bulletins are published on the Arm Security Center, backed by CVE identifiers, to provide trusted documentation for compliance and reporting.


Product Security Incident Response Process Infographic

COORDINATED VULNERABILITY DISCLOSURE

Responsible Disclosure You Can Trust

Arm follows Coordinated Vulnerability Disclosure (CVD) best practices. Where possible, vulnerabilities are communicated securely and responsibly to our partners before being shared publicly, giving them time to prepare and apply mitigations.


During embargo periods, partners may, where necessary, confidentially share patches with select ecosystem stakeholders to facilitate timely mitigations before public disclosure. This coordinated approach balances transparency with security, ensuring information is shared without increasing risk.

SECURITY LIFECYCLE

Arm’s PSIRT as Part of a Holistic Security Lifecycle

Arm’s PSIRT is part of Arm’s broader security strategy, working alongside the Security Development Lifecycle (SDL), internal red teams, and security researchers. Together, these functions ensure security is embedded from product design through long-term support.


Independent validation from Arm’s Product Security Assurance (PSA) team ensures practices remain robust and consistently applied. This gives security leads the confidence that Arm technology is not only performant, but resilient against evolving threats.

COMMUNITY COLLABORATION

Engaging with Security Experts and Communities

Security is strongest when built on collaboration, and Arm’s PSIRT is strongest when maintaining strong partner relationships to ensure our reporting and disclosure practices meet the needs and expectations of partners and the wider Arm ecosystem.


Arm actively contributes to global security standards and best practices by working with:


As a CVE Numbering Authority (CNA), Arm assigns CVE IDs to vulnerabilities affecting its products, contributing to industry-wide transparency and consistency.

CONTACT US

Need to report a suspected vulnerability in Arm technologies? Visit the Arm Developer Security Center for detailed reporting guidance.

Arm Developer Security Center