Vulnerability Disclosure Policy
Synopsys – Software Integrity Group Vulnerability Disclosure Policy
The Software Integrity Group (SIG) within Synopsys believes that software security is most successful when it is built in and is committed to as part of the development and delivery of secure products, applications, and platforms. We also recognize that there is no silver bullet solution to security and welcome contributions from external security researchers, industry organizations, vendors, and other sources concerned with software security.
SIG customers who are interested in performing security assessment/penetration test on their licensed products are encouraged to reach out to the following email address to confirm the necessary details prior to starting an assessment: firstname.lastname@example.org
Responsible Disclosure Guidelines:
To promote the discovery and reporting of vulnerabilities in our products, and to ensure user safety for other users of our products, you must adhere to the following guidelines for submission of any potential vulnerabilities:
- Share security issues with us confidentially, with sufficient information to evaluate your submission (recommended details below);
- Do not make any information public without our guidance and consent;
- Do not access or modify any user data in any application (regardless of whether that data belongs to SIG or an end user of the application). Only interact with your own accounts or test accounts for security research purposes;
- Contact us immediately if you encounter any end user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to us;
- Always act in good faith so as to avoid violations applicable law, the destruction of data, or the interruption or degradation of our services (including denial of service); and
- Otherwise comply with all applicable laws.
We will not negotiate in response to duress or threats (e.g. we will not negotiate under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).
Reporting or Obtaining Support for a Suspected Security Vulnerability:
If you have observed a potential vulnerability, you are strongly encouraged to contact our PSIRT to report it. We recommend that you include the following details when reporting a potential vulnerability:
Technical description of the vulnerability, including:
- Browser information (type and version) used
- Relevant information about connected components and devices
Impacted Product/Platform, including:
Sample code that was used to demonstrate the vulnerability and/or detailed steps to reproduce
Date and time of discovery
Possible disclosure plans
To report a vulnerability to our PSIRT, please use the following email address: email@example.com
We require that you encrypt any sensitive information that you send to us via email.
We support encrypted messages via PGP/GNU Privacy Guard (GPG). SIG PSIRT’s public key is available at the following link:
Download Public PGP Key
PGP Public Key Fingerprint: 2351 6C14 6F85 A8BA 70DB F417 5AAE 8D5A 16AC 3158
Please note that our security contact addresses should only be used for reporting undisclosed security vulnerabilities in our products, applications, and platforms, and for managing the process of fixing such vulnerabilities. We will refuse all general support requests or other security related queries at these addresses. All mail sent to these addresses that does not relate to an undisclosed security vulnerability will be destroyed.
For other inquiries not related to product/platform vulnerabilities, please use the following email addresses:
Public Relations/Press Inquiries: firstname.lastname@example.org
General (non-vulnerability) support requests: email@example.com
Consequences of Complying with Policy:
We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have complied with Synopsys Software Integrity Group’s Vulnerability Disclosure policy, Synopsys Software Integrity Group will take steps to make it known that your actions were conducted in compliance with this policy.