Product Security
SEGGER products are used in a multitude of applications, where reliability, maintainability, and long-term support is important. With our decades-long commitment to software excellence, our product security is a perfect match with today’s cybersecurity regulations, such as the Cyber Resilience Act.
Security is a core element of product quality
At SEGGER, product security is an integral part of our decades-long commitment to software excellence. While cyber regulations like the European Cyber Resilience Act (CRA), the Radio Equipment Directive (RED), and the Network and Information Security Directive 2 (NIS2) reshape the industry, SEGGER already provides a secure and trusted commercial solution ticking all the checkboxes introduced with the new regulations.
“Security is not only a regulatory requirement — it is a key element of product quality and customer trust.”
Hendrik Sawukajtis, CEO - SEGGER
To maintain these high standards, our high-quality development processes integrate established security standards backed by decades of continuous software maintenance and optimized testing. Furthermore, we actively collaborate with the security community and encourage the responsible reporting of any potential software vulnerabilities.
Master the Cyber Resilience Act
Software is a critical element in digital products, especially in embedded systems. In order for manufacturers to comply with CRA requirements, it is more important than ever to choose high-quality, secure software components. Otherwise, navigating the strict requirements of the CRA can turn into a compliance and liability nightmare for companies.
SEGGER offers a peace-of-mind solution for your CRA compliance challenge. Our entire embedded software portfolio is:
- Trusted and established: Developed entirely in Germany with a decades-long track record and billions of deployed devices running SEGGER software.
- Long-term support & maintenance: Dedicated security updates and professional developer-to-developer support.
- Silicon-independent: Our products share the same attributes across a multitude of supported platforms. For customers using multiple platforms this means the same security level for all.
SBOMs and technical documentation
emPower OS and each of its related products include a Software Bill of Materials (SBOM), which enables manufacturers to identify all of the components that they might include in their product. SBOMs are helpful for identifying dependencies with internal and third-party components, and they also provide identifiers for all components, which facilitates vulnerability monitoring with common vulnerability databases, such as CVE and EUVD.
SEGGER also provides extensive technical documentation (including user guides and application notes) for all embedded software products. Technical documentation helps manufacturers carry out risk assessments and threat modeling, and it provides interface descriptions and best practices. In addition, test reports and analysis results can be provided as additional packages.
Long-term maintenance and support
SEGGER’s Embedded Experts work continuously to enhance, improve, and resolve issues with SEGGER products. In addition to providing standard agreements that cover support and updates, SEGGER offers long-term service (LTS) agreements that provide manufacturers with security patches for the full lifespan of our products.
Security by design & product lifecycle
At SEGGER, cybersecurity is embedded into our entire product development process for embedded software & middleware solutions.
Our goal is to help customers build reliable, maintainable, and secure embedded systems based on SEGGER technologies. We established and continuously improve our development with a strong focus on:
- Secure Software Development:
- Strict coding standards and automated security testing and product security reviews.
- Continuous Vulnerability Management:
- Proactive internal monitoring and risk assessment, which includes Coordinated Vulnerability Disclosure (CVD).
- Security-focused maintenance and updates:
- Product maintenance is governed by vulnerability management and is held in compliance with applicable cybersecurity requirements.
By integrating security into development, we help reduce risk, improve product resilience, and support long-term product quality. These secure development practices are applied across our entire portfolio.
Why security matters for embedded systems
Connected embedded systems are increasingly deployed in a multitude of segments such as automotive, commercial, consumer industrial, medical, and many others. As cyber threats and regulatory requirements continue to evolve, device manufacturers must ensure their products remain secure throughout their entire operational lifetime.
Implementing robust product security while working with trusted commercial software modules enables organizations to:
Mitigate cybersecurity risks:
Proactively protect intellectual property and devices from unauthorized access and exploits.
Ensure regulatory compliance:
Seamlessly meet the strict legal requirements of the CRA and avoid market entry barriers.
Maintain long-term reliability:
Guarantee continuous operation through secure lifecycle management.
Boost customer confidence:
Demonstrate accountability and transparency, protecting your brand reputation.
Accelerate incident resolution:
Benefit from structured, fast-tracked vulnerability handling and rapid patch availability.
Reduce compliance overhead:
Avoid the high costs and complexity of retroactively securing unmaintained software stacks.
Product Security Incident Response Team (PSIRT)
Product security extends far beyond the release date. The SEGGER PSIRT acts as our central, authoritative unit to coordinate the triage, investigation, and remediation of security vulnerabilities.
Coordinated Vulnerability Disclosure (CVD)
SEGGER supports Coordinated Vulnerability Disclosure (CVD) and encourages customers, security researchers, and industry partners to report potential vulnerabilities responsibly.
This collaborative approach ensures that reported issues can be properly assessed, investigated, and addressed before public disclosure. By following the CVD process, we collectively reduce risk for customers and users while maintaining transparency.
PSIRT core responsibilities
Our dedicated security team is fully authorized to prioritize incident response and is responsible for:
- Central intake: Receiving and verifying security reports from global researchers and customers.
- Technical investigation: Coordinating internal root-cause analyses and risk assessments.
- Remediation management: Driving the development of patches, workarounds, and software updates.
- Ecosystem protection: Publishing transparent security advisories to keep users informed and secure.
The following five-step lifecycle outlines exactly how a reported vulnerability is handled from initial submission to final resolution.
SEGGER's PSIRT process
1. Report
Every report is forwarded to the SEGGER PSIRT, which confirms receipt and offers coordinated disclosure.
2. Monitor data
The report is reviewed. If needed, details are requested; unverifiable vulnerabilities are reported back.
3. Analysis
The vulnerability, its root cause, and its impact are documented and all affected product versions are identified.
4. Remediation
Remediation is scheduled with the highest priority and released promptly as a dedicated security update.
5. Closure
Following the release of the security update, all relevant parties and users are notified and the case is fully documented.
Submit a vulnerability report
If you believe you have identified a security vulnerability affecting a SEGGER product, please use the form below to contact the SEGGER Product Security Incident Response Team (PSIRT).
All reports will be reviewed and handled in accordance with our vulnerability management and Coordinated Vulnerability Disclosure processes.
Alternative contact method:
If you are unable to use the reporting form, vulnerability reports may also be submitted via email to:
Form to fill in a vulnerability
FAQ
What should I report?
Any potential security vulnerability affecting a SEGGER product, software component, or service.
Who can report vulnerabilities?
Customers, researchers, partners, distributors, and other stakeholders.
How do I report a vulnerability?
The preferred method is to use the vulnerability reporting form on this page. Alternatively, reports may be submitted via email to psirt@segger.com.
What happens after I submit a report?
The SEGGER PSIRT will review the report, perform an initial assessment, and coordinate any necessary technical investigations.
Will I receive an acknowledgement?
Yes. We aim to acknowledge vulnerability reports within a reasonable timeframe and may request additional information if required.
Does SEGGER support Coordinated Vulnerability Disclosure?
Yes. SEGGER supports Coordinated Vulnerability Disclosure (CVD) and encourages responsible reporting of potential security vulnerabilities.
Will SEGGER publish security advisories?
Where appropriate, SEGGER may publish security advisories to inform customers about vulnerabilities, mitigations, and available fixes.
What information should I include in my report?
Whenever possible, please provide:
- Product name
- Product version
- Detailed description
- Reproduction steps
- Proof of concept
- Potential impact assessment
How does SEGGER support the Cyber Resilience Act?
SEGGER continuously strengthens its security processes, vulnerability management procedures, documentation, and incident handling capabilities to support applicable CRA requirements.
Get in touch with us
Have questions or need assistance? Our Embedded Experts are here to help!
Reach out to us for:
- Licensing quotes
- Technical inquiries
- Project support