Contact Sales
Contact Sales
Our Company
Why Synopsys?

Our Technology, Your Innovation™. Trusted industry leader.

Learn more
Industry
Technology
Navigating Software-Defined Vehicle Development

Discover strategies to boost SDV innovation, reduce costs, and enhance reliability.

Download
By Function
Synopsys.ai
EDA
System
IP
SolvNetPlus SolvNetPlus gives instant access to docs, downloads, training, and self-help support resources online.
Training & Education Synopsys provides training delivered by subject matter experts, offering both public and private courses.
Learn
Synopsys Converge

Synopsys PSIRT and Vulnerability Disclosure Policy

Synopsys is committed to the security of our products and values the contributions of security researchers, customers, industry organizations, and the broader security community in helping us identify and resolve vulnerabilities. The Synopsys Product Security Incident Response Team (PSIRT) manages the intake, triage, internal coordination and disclosure of security-related vulnerability information for actively supported Synopsys products.  The PSIRT helps customers minimize risk associated with security vulnerabilities by providing timely information, guidance, mitigation and remediation information. 

This policy outlines how Synopsys handles security vulnerability reports, assigns Common Vulnerabilities and Exposures (CVE) identifiers, and coordinates public disclosure of security issues affecting Synopsys and/or Ansys products. As an authorized CVE Numbering Authority (CNA), Synopsys assigns CVE IDs for qualifying vulnerabilities within our scope and publishes corresponding security advisories. Visit our Security Advisories page to stay informed about the latest updates.

Reporting a Security Vulnerability

Synopsys values the contributions of external researchers, partners and customers in strengthening the security of our products.  If you discover a potential security vulnerability in a Synopsys or Ansys product, platform, or technology, we want to hear from you. The Synopsys Product Security Incident Response Team (PSIRT) serves as the central point of contact for all security-related matters.

Email

[email protected]

Response Time

We acknowledge all reports within 7 calendar days and provide a unique tracking identifier

CVE Inquiries

Include "CVE" in the subject line for existing CVE assignments or CVE ID requests
PGP Key Fingerprint EC81 69B9 6079 6D31 6701 8E28 E13E 0FAA 363A FDDD

Important: The PSIRT contact address is specifically for reporting undisclosed security vulnerabilities in Synopsys and Ansys products. For general support requests, please use our official support channels. If you encounter user data during research, contact both PSIRT and our Computer Security Incident Response Team (CSIRT) immediately.

What to Include in Your Report

To help us efficiently validate and remediate reported vulnerabilities, please provide as much detail as possible:

Affected Product(s) and Version(s)

Specific product name, version number, and platform. List all known affected configurations if applicable.

Technical Description

Nature of the vulnerability, security boundary crossed, underlying cause if known, and potential impact on confidentiality, integrity, or availability.

Common Weakness Enumeration (CWE)

Type or class of vulnerability

Proof of Concept (PoC)

Detailed reproduction steps, sample code, configuration files, or demonstration materials that validate the vulnerability.

Contact Information

Email address, Reporters public PGP key and optional name or handle if you are requesting acknowledgment in our security advisory.

Encrypted Submission Using PGP

All information submitted about newly discovered vulnerabilities is treated as confidential and is not shared publicly unless there is already public disclosure or a remediation is available.  Synopsys adheres to coordinated vulnerability disclosure practices when engaging with third parties.  This approach protects customers while acknowledging external contributions.

Synopsys strongly encourages encrypted submission of vulnerability reports to protect sensitive technical details. Include your public PGP key if you would like replies encrypted.

What NOT to Report

The following are outside the scope of Synopsys PSIRT:

  • Denial of Service attacks - Brute-force or high-bandwidth DoS/DDoS attacks without an underlying security defect
  • Automated scanner output - Raw tool output without validation or proof of exploitability (use support channels)
  • General support issues - Non-security bugs, feature requests, or product questions (use support channels)
  • Third-party products - Vulnerabilities in products not developed by Synopsys, unless integrated into our offerings (contact your vendor)
  • Customer implementation issues - Issues arising solely from customer configurations unless they reveal a product security defect (use support channels)

Remediation

Synopsys will validate reported vulnerabilities for applicability and exploitability in a timely manner. Remediation timelines may vary based on severity, complexity, and current development cycles.  Remediation delivery varies by product and may be in the form of a new release, patch, service-pack, etc.  While Synopsys aims to provide remediations, they cannot be guaranteed. Synopsys may provide mitigation strategies at its discretion.

CVE Assignment Process

Synopsys is an authorized CVE Numbering Authority (CNA) under the CVE Program.  As a CNA, Synopsys assigns CVE identifiers for qualifying vulnerabilities in our actively supported products.

When a reported vulnerability involves a third-party vendor product or upstream dependency, Synopsys follows industry best practices. If the upstream vendor is a CVE Numbering Authority, Synopsys defers CVE ID assignment to the vendor in accordance with CVE Program first-refusal rules. If the vendor is not a CNA, Synopsys may coordinate directly with the vendor or engage a third-party coordination center. When third-party issues affect Synopsys products, we reference the upstream CVE ID in our advisories.

Security Advisories

When Synopsys publicly discloses a vulnerability, we publish a security advisory. Stay updated by visiting our Security Advisories page.

Security advisories typically include:

  • Publication date and revision history
  • CVE identifier(s) for each vulnerability
  • Affected product names
  • CVSS v3.1 Base Score and vector string
  • Brief description and potential impact
  • Fixed versions, patches, service packs, workarounds, or mitigations
  • Acknowledgement of the reporter(s) who discovered the vulnerability

Synopsys may update advisories if new information becomes available, additional affected versions are discovered, or improved mitigations are identified. All updates are clearly marked with revision numbers and dates.

Synopsys does not distribute specific details of a vulnerability including exploit code or reproduction information. 

Severity Assessment

Synopsys uses the Common Vulnerability Scoring System version 3.1 (CVSS v3.1) to assess and communicate the severity of vulnerabilities. We focus on the CVSS v3.1 Base Score, which measures the intrinsic characteristics of a vulnerability that are constant over time and across deployment contexts.

Critical

CVSS Base Score 9.0 – 10.0

High

CVSS Base Score 7.0 – 8.9

Medium

CVSS Base Score 4.0 – 6.9

Low

CVSS Base Score 0.1 – 3.9

Our severity assessments represent an average risk across diverse deployment scenarios. The actual risk in your environment may differ. We recommend calculating CVSS Temporal and Environmental scores tailored to your specific context. For more information about CVSS, visit www.first.org/cvss.

Security Researcher Acknowledgment

Synopsys values the contributions of independent security researchers and the broader security community. When you report a valid security vulnerability to us, we are happy to publicly acknowledge your contribution in our security advisory, provided you request acknowledgement and grant permission.

Our acknowledgments include your name (or preferred handle) and optionally your affiliation, exactly as you specify. We will confirm the acknowledgment text with you before publication to ensure accuracy. If you prefer to remain anonymous, we will respect that choice and will not include attribution in our public advisory.

Synopsys does not currently operate a bug bounty program with financial rewards.  We recognize that coordinated vulnerability disclosure requires significant time and expertise. Your willingness to work with us privately before public disclosure directly benefits Synopsys customers and the broader security community.

End-of-Support Products

When products reach their designated end-of-support date, they typically no longer receive security patches. However, Synopsys may issue security advisories for end-of-support products when the vulnerability is being actively exploited, affects a significant installed base, or when workarounds are available that do not require software updates.

Customers using end-of-support products are strongly encouraged to upgrade to supported versions to continue receiving security updates. For questions about product support lifecycles, please contact Synopsys Support.

Safe Harbor

Synopsys welcomes responsible security research to improve the security of our products. We consider security research conducted in accordance with this policy to be authorized under applicable law, including the Computer Fraud and Abuse Act.

We will not pursue legal action against researchers who comply with this policy and act in good faith. However, this does not authorize unauthorized access to customer data or systems, or activities that cause harm or disruption.

If you have questions about whether specific research activities fall within this policy, please contact us first.

This Synopsys Product Security and Vulnerability Disclosure Policy is subject to change. Synopsys reserves the right to update this policy at any time. Updates will be posted to this page with revision dates. For questions about this policy, please contact [email protected].

Last Updated: March, 2026 | Version: 2.0