Cloud native EDA tools & pre-optimized hardware platforms
The Software Integrity Group (SIG) within Synopsys believes that software security is most successful when it is built in and is committed to as part of the development and delivery of secure products, applications, and platforms. We also recognize that there is no silver bullet solution to security and welcome contributions from external security researchers, industry organizations, vendors, and other sources concerned with software security.
SIG customers who are interested in performing security assessment/penetration test on their licensed products are encouraged to reach out to the following email address to confirm the necessary details prior to starting an assessment: email@example.com
To promote the discovery and reporting of vulnerabilities in our products, and to ensure user safety for other users of our products, you must adhere to the following guidelines for submission of any potential vulnerabilities:
We will not negotiate in response to duress or threats (e.g. we will not negotiate under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).
If you have observed a potential vulnerability, you are strongly encouraged to contact our PSIRT to report it. We recommend that you include the following details when reporting a potential vulnerability:
Technical description of the vulnerability, including:
Impacted Product/Platform, including:
Sample code that was used to demonstrate the vulnerability and/or detailed steps to reproduce
Date and time of discovery
Possible disclosure plans
To report a vulnerability to our PSIRT, please use the following email address: firstname.lastname@example.org
We require that you encrypt any sensitive information that you send to us via email.
We support encrypted messages via PGP/GNU Privacy Guard (GPG). SIG PSIRT’s public key is available at the following link:
PGP Public Key Fingerprint: 2351 6C14 6F85 A8BA 70DB F417 5AAE 8D5A 16AC 3158
Please note that our security contact addresses should only be used for reporting undisclosed security vulnerabilities in our products, applications, and platforms, and for managing the process of fixing such vulnerabilities. We will refuse all general support requests or other security related queries at these addresses. All mail sent to these addresses that does not relate to an undisclosed security vulnerability will be destroyed.
For other inquiries not related to product/platform vulnerabilities, please use the following email addresses:
Public Relations/Press Inquiries: email@example.com
General (non-vulnerability) support requests: firstname.lastname@example.org
We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have complied with Synopsys Software Integrity Group’s Vulnerability Disclosure policy, Synopsys Software Integrity Group will take steps to make it known that your actions were conducted in compliance with this policy.
Our PSIRT follows the above steps, which are briefly described below:
Our PSIRT will investigate all reports for SIG products/platforms that are currently supported; accepted reports will be prioritized based on severity and other environmental factors.
Throughout this process, our PSIRT will strive to work collaboratively with the reporting individual to validate and collect additional information as necessary. Upon determining the validity of a reported vulnerability, Our PSIRT will share results with the reporting individual, to the extent it may do so without risk to other end users. These results will include whether the report has been accepted/rejected, severity, timelines, resolution and public disclosure plans. If the reporting individual doesn’t agree with the shared results, our PSIRT will make good faith efforts to address the concerns.
During the product security incident response process, our PSIRT will manage all information regarding a reported vulnerability on a highly confidential basis. Internal distribution is limited to those individuals who have a legitimate need to know and can actively assist in the resolution. Our PSIRT, similarly, requires the reporting individual to maintain strict confidentiality until the reported vulnerability has been comprehensively remediated.
In the event that a reported vulnerability involves a vendor product, our PSIRT will notify the vendor directly, coordinate with the incident reporter, or engage a third-party coordination center.
Additionally, if our PSIRT becomes aware of a vulnerability that does not affect our products/platforms, our PSIRT will follow our policy for reporting vulnerabilities to vendors.
Our PSIRT encourages those individuals who report vulnerabilities to evaluate and assign an initial severity using an industry recognized standard, such as CVSSv3 or NIST 800-30r1. While in the “Validation & Evaluation” phase, SIG PSIRT will take into consideration the initial severity while forming an official severity. This official severity will be created using CVSSv3 and used with other environmental factors to prioritize timelines.
SIG values the efforts of external security researchers, industry organizations, vendors, customers, and other sources who identify security vulnerabilities and responsibly disclose them to SIG so that fixes can be issued to all customers. SIG’s policy is to credit all researchers in the product/platform release notes and/or public disclosures, provided the following conditions are met:
Note: We do not publicly credit Synopsys employees or contractors of Synopsys and its subsidiaries for vulnerabilities they have found in our products/platforms.