NETGEAR Product Security
Our Commitment
At NETGEAR, we work to connect people to the internet safely through secure design practices, supply chain integrity, proactive threat monitoring, and innovative security features. Our team is committed to a strong product security program that earns customer trust and adapts to the evolving cyber threat landscape.
Report a Vulnerability
NETGEAR's Product Security Team investigates all reports of security vulnerabilities affecting NETGEAR products and services. If you are a security researcher and believe you have discovered a potential security, report your findings through our Bug Bounty Platform.
Researchers who do not wish to participate in the bounty program can still submit their findings through our Kudos Rewards Program or by emailing our Product Security Team at security@netgear.com.
Include in your report:
- Affected products, models, hardware, firmware, or software versions
- Clear reproduction steps/PoC, expected vs. actual behavior
- Security impact or suggested severity
- Your contact details and how to credit you or if you would prefer to remain anonymous
For more information, see our security.txt file.
Vulnerability Handling and Response
Our Product Security Team manages the secure development lifecycle across all product lines, including triage and disclosure of security concerns.
What to expect:
Initial Response
Reports are acknowledged within 3 US business days.
Initial triage completed within 5 US business days.
Issue Resolution Updates
Researchers are informed when a fix is ready or a CVE is assigned.
Incentives and Public Recognition
Eligible contributors receive a Bug Bounty award and/or kudos recognition and are mentioned in the CVE Record if requested.
We honor FIRST TLP v2.0 labels in all our communications. If absent, we treat submissions as TLP: AMBER which may be shared with our technology partners on a need-to-know basis for the purpose of developing or testing fixes.
Prioritization and Analysis
We prioritize the response to issues using the Stakeholder-Specific Vulnerability Categorization (SSVC) methodology and employ the Common Vulnerability Scoring System (CVSS) to assess the technical severity of the issues.
Timeline and Product Eligibility
Issues that require immediate attention trigger our emergency incident response plan and addressed as soon as practically possible. Otherwise, we develop remediations and fixes for supported products through our standard development, quality assurance, and phased deployment cycles. In exceptional cases, remediation may take longer when it is dependent on third parties or standardization organizations. Reporters are kept informed in such cases.
All issues reported to us are triaged to determine their applicability to supported products. Generally, only products still within their support period receive security updates.
Security Advisories
Security Advisories are published on the NETGEAR Security Advisories page. Public disclosure is coordinated to maximize user safety. Researchers are credited on advisories if they wish.
Advisories for issues that require immediate attention are published as soon as reasonably possible. All other issues are published in a monthly security patch update that lists the addressed vulnerabilities.
Program Partnership with CVE
NETGEAR is a CVE Program Partner (CNA) and is authorized to assign CVE IDs and publish CVE Records for vulnerabilities in all NETGEAR products, subsidiaries’ products, and third-party components used in NETGEAR products that are not already covered by another CNA’s scope.
Assignment Process
We CVE IDs and CVE Records are assigned and published according to CVE CNA Operational Rules. Our records include CWE, CVSS, and CPE information, aligned with our CISA Secure by Design Pledge goals.
Legacy Devices
Our ability to validate vulnerabilities in legacy or unsupported devices is limited. To help customers understand risks, we assign CVE IDs for issues affecting these devices when credible evidence of a vulnerability and its impact are provided.
Third-Party Components
If a vulnerability primarily affects a third-party component with its own CNA, we coordinate with that CNA and avoid duplicate assignments.
NETGEAR Aligns with Industry Standards
Our policy and processes align with widely recognized standards, frameworks, and guidelines:
- ISO/IEC 29147:2018 (public vulnerability disclosure) and ISO/IEC 30111:2019 (vulnerability handling).
- NIST Secure Software Development Framework
- Cyber Resilience Act (CRA, Regulation (EU) 2024/2847)
- FIRST PSIRT Services Framework
- CISA Secure by Design principles
Safe Harbor and Good Faith Research
We encourage security researchers to come forward with their findings and report them to us without fear of legal consequences. If you act in good faith and follow this policy, NETGEAR will consider that research to be authorized, and will not initiate legal action. Should legal action be initiated by a third party against a security researcher for activities that were conducted in accordance with this policy, NETGEAR will make this authorization known.
Good faith in this context means: avoiding privacy violations, data destruction, or service disruption; do not access, exfiltrate, or retain data that is not yours; do not publicly disclose before NETGEAR has had a reasonable opportunity to fix; do not assist cyber-criminals to exploit the vulnerabilities against our customers; stop testing if you encounter user data; comply with applicable law.
LAST UPDATED: DECEMBER 2025
Applies to all hardware, firmware, software, mobile apps, cloud services, and web properties of NETGEAR and subsidiaries unless otherwise stated.