Responsible Disclosure Policy

At TrustMotion, we take cybersecurity seriously and we are committed to maintaining the security of our products and service offerings. We recognize the valuable role that the cybersecurity community plays in identifying vulnerabilities.

We encourage independent research and ethical hacking of our products. If you have found a vulnerability, we would be happy if you inform us in accordance with the guidelines provided below.

Commitment to Product Security

TrustMotion integrates cybersecurity throughout the full software lifecycle, covering design, development, integration, and maintenance. The objective is to ensure robust, reliable, and secure software solutions for automotive and embedded systems.

TrustMotion operates as a software-focused entity with a vendor-neutral approach toward semiconductor and hardware platforms. This ensures compatibility across multi-vendor ecosystems and avoids dependency on a single silicon provider.

PSIRT Governance Model

Product Security Incident Response for TrustMotion is managed by the NXP Product Security Incident Response Team (PSIRT).

All vulnerability intake, coordination, disclosure, and communication processes related to TrustMotion products are handled through NXP PSIRT. This ensures:

  • A mature, industry-established vulnerability handling process
  • Centralized coordination across hardware and software layers
  • Alignment with recognized responsible disclosure practices

TrustMotion collaborates internally with NXP PSIRT to perform impact analysis, define mitigations, and communicate with affected stakeholders.

Reporting Security Vulnerabilities

All security vulnerabilities related to TrustMotion products must be reported directly through the NXP PSIRT channels.

Official NXP PSIRT page : https://www.nxp.com/psirt

NXP PSIRT provides:

  • Secure vulnerability submission mechanisms
  • Coordinated disclosure processes
  • Security advisories and incident tracking
  • Communication guidelines for researchers and customers

Submitters should include:

  • Detailed vulnerability description
  • Affected products and versions
  • Reproduction steps or proof-of-concept
  • Impact assessment

Scope of Handling

The following model applies:

  • TrustMotion software vulnerabilities:
    Managed by NXP PSIRT in coordination with TrustMotion engineering and product teams.
  • NXP hardware or firmware vulnerabilities:
    Fully managed by NXP PSIRT

Independence and Neutrality Statement

TrustMotion remains a distinct software entity operating with a vendor-neutral technical strategy, despite being part of NXP.

The use of NXP PSIRT as the incident response authority reflects an operational decision to leverage an established security infrastructure, not a restriction of technological scope.

TrustMotion:

  • Supports deployment across multiple semiconductor platforms
  • Maintains neutrality in software design and integration
  • Evaluates vulnerabilities based on technical impact, independent of silicon vendor