Vulnerability Disclosure Policy 

Synopsys – Software Integrity Group Vulnerability Disclosure Policy 

The Software Integrity Group (SIG) within Synopsys believes that software security is most successful when it is built in and is committed to as part of the development and delivery of secure products, applications, and platforms. We also recognize that there is no silver bullet solution to security and welcome contributions from external security researchers, industry organizations, vendors, and other sources concerned with software security. 

SIG customers who are interested in performing security assessment/penetration test on their licensed products are encouraged to reach out to the following email address to confirm the necessary details prior to starting an assessment: disclosure@synopsys.com 

Responsible Disclosure Guidelines: 

To promote the discovery and reporting of vulnerabilities in our products, and to ensure user safety for other users of our products, you must adhere to the following guidelines for submission of any potential vulnerabilities: 

  • Share security issues with us confidentially, with sufficient information to evaluate your submission (recommended details below); 
  • Do not make any information public without our guidance and consent; 
  • Do not access or modify any user data in any application (regardless of whether that data belongs to SIG or an end user of the application). Only interact with your own accounts or test accounts for security research purposes; 
  • Contact us immediately if you encounter any end user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to us; 
  • Always act in good faith so as to avoid violations applicable law, the destruction of data, or the interruption or degradation of our services (including denial of service); and 
  • Otherwise comply with all applicable laws. 

We will not negotiate in response to duress or threats (e.g. we will not negotiate under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public). 

Reporting or Obtaining Support for a Suspected Security Vulnerability: 

If you have observed a potential vulnerability, you are strongly encouraged to contact our PSIRT to report it. We recommend that you include the following details when reporting a potential vulnerability: 

Technical description of the vulnerability, including: 

  • Browser information (type and version) used 
  • Relevant information about connected components and devices 

Impacted Product/Platform, including: 

  • Version(s) 
  • URL(s) 

Sample code that was used to demonstrate the vulnerability and/or detailed steps to reproduce 

Threat/risk assessment 

Date and time of discovery 

Contact information 

Possible disclosure plans 

To report a vulnerability to our PSIRT, please use the following email address: disclosure@synospys.com

We require that you encrypt any sensitive information that you send to us via email. 

We support encrypted messages via PGP/GNU Privacy Guard (GPG). SIG PSIRT’s public key is available at the following link: 

Download Public PGP Key

PGP Public Key Fingerprint: 2351 6C14 6F85 A8BA 70DB F417 5AAE 8D5A 16AC 3158 

Please note that our security contact addresses should only be used for reporting undisclosed security vulnerabilities in our products, applications, and platforms, and for managing the process of fixing such vulnerabilities. We will refuse all general support requests or other security related queries at these addresses. All mail sent to these addresses that does not relate to an undisclosed security vulnerability will be destroyed. 

For other inquiries not related to product/platform vulnerabilities, please use the following email addresses: 

Public Relations/Press Inquiries: sig-pr@synopsys.com

General (non-vulnerability) support requests: software-integrity-support@synopsys.com

Consequences of Complying with Policy: 

We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have complied with Synopsys Software Integrity Group’s Vulnerability Disclosure policy, Synopsys Software Integrity Group will take steps to make it known that your actions were conducted in compliance with this policy. 

SIG Product Security Incident Response Process Overview:

 

vulnerability disclosure process overview

Our PSIRT follows the above steps, which are briefly described below:

  1. Reception: Our PSIRT receives and acknowledges reception of the reported vulnerability.
  2. Validation & Evaluation: Our PSIRT validates the reported vulnerability & evaluates priority.
  3. Fix Development: Our PSIRT coordinates development of necessary fixes.
  4. Communication Planning: Our PSIRT develops communication strategy and timeframe.
  5. Release Preparation: Our PSIRT engages executives and subject matter experts prior to release.
  6. Release Notification: Our PSIRT releases notification simultaneously for all customers
  7. Review & Feedback: Our PSIRT collects & incorporates feedback from customers and SIG organizations.

Our PSIRT will investigate all reports for SIG products/platforms that are currently supported; accepted reports will be prioritized based on severity and other environmental factors.

Throughout this process, our PSIRT will strive to work collaboratively with the reporting individual to validate and collect additional information as necessary. Upon determining the validity of a reported vulnerability, Our PSIRT will share results with the reporting individual, to the extent it may do so without risk to other end users. These results will include whether the report has been accepted/rejected, severity, timelines, resolution and public disclosure plans. If the reporting individual doesn’t agree with the shared results, our PSIRT will make good faith efforts to address the concerns.

During the product security incident response process, our PSIRT will manage all information regarding a reported vulnerability on a highly confidential basis. Internal distribution is limited to those individuals who have a legitimate need to know and can actively assist in the resolution. Our PSIRT, similarly, requires the reporting individual to maintain strict confidentiality until the reported vulnerability has been comprehensively remediated.

In the event that a reported vulnerability involves a vendor product, our PSIRT will notify the vendor directly, coordinate with the incident reporter, or engage a third-party coordination center.

Additionally, if our PSIRT becomes aware of a vulnerability that does not affect our products/platforms, our PSIRT will follow our policy for reporting vulnerabilities to vendors.

Assessing Vulnerability Severity:

Our PSIRT encourages those individuals who report vulnerabilities to evaluate and assign an initial severity using an industry recognized standard, such as CVSSv3 or NIST 800-30r1. While in the “Validation & Evaluation” phase, SIG PSIRT will take into consideration the initial severity while forming an official severity. This official severity will be created using CVSSv3 and used with other environmental factors to prioritize timelines.

Crediting & Publication:

SIG values the efforts of external security researchers, industry organizations, vendors, customers, and other sources who identify security vulnerabilities and responsibly disclose them to SIG so that fixes can be issued to all customers. SIG’s policy is to credit all researchers in the product/platform release notes and/or public disclosures, provided the following conditions are met:

  • The reporting individual agrees to their name, handle, or other contact details being shared publicly;
  • The reporting individual does not publish the vulnerability prior to SIG PSIRT confirming a comprehensive fix has been released; and
  • They do not divulge exact details of the issue, for example, exploits or proof-of-concept code.

Note: We do not publicly credit Synopsys employees or contractors of Synopsys and its subsidiaries for vulnerabilities they have found in our products/platforms.