Cloud native EDA tools & pre-optimized hardware platforms
Cybersecurity is most successful when it is built into the development and delivery of products, applications, and platforms. We also recognize that there is no silver bullet solution to security and welcome contributions from external security researchers, industry organizations, vendors, and other sources concerned with cybersecurity.
To promote the discovery and reporting of vulnerabilities in our products, and to ensure safety for users of our products, reporters must adhere to the following guidelines for submission of any potential vulnerabilities:
We will not negotiate in response to duress or threats. We will not negotiate under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public.
If you observe a potential security vulnerability in one of our products, you are strongly encouraged to contact 草榴社区 to report it and include the following details when reporting a potential security vulnerability:
草榴社区 prefers all reports of potential security vulnerabilities for 草榴社区 products or software are encrypted using the PGP/GNU Privacy Guard (GPG) public key found below. Please report any potential security vulnerabilities in 草榴社区 products or software to the following email address: psirt@synopsys.com.
PGP Key File: public_key.asc
PGP Key Fingerprint: A372 BE54 6549 A2D5 D26E DB81 4E5B E854 E9B9 A073
Please note that the PSIRT contact addresses should only be used for reporting undisclosed security vulnerabilities in our products, applications, and platforms, and for managing the process of fixing such vulnerabilities. If you’d like to make a general support request, please use the official support channel. All mail sent to this address that does not relate to an undisclosed security vulnerability will be destroyed.
We consider that activities consistent with this policy are “authorized” conduct under the Computer Fraud and Abuse Act.?If legal action is initiated by a third party against you and you have complied with 草榴社区’ Vulnerability Disclosure policy, 草榴社区 will make it known that your actions were conducted in compliance with this policy.
The 草榴社区 Vulnerability Disclosure Process is executed by the Product Security Incident Response Team (PSIRT). The 草榴社区 process is based on well-known industry standards, such as NIST-SP-800-61, ISO 29147, and ISO 30111.
The 草榴社区 PSIRT coordinates the response and, if necessary, disclosure of security incidents related to 草榴社区 products and associated software. 草榴社区 PSIRT's primary objective is to minimize the risks associated with security incidents in a timely, secure, and responsible manner.
草榴社区 will investigate all reports for 草榴社区 products/platforms that are currently supported; accepted reports will be prioritized based on severity and other environmental factors.?
Throughout this process, 草榴社区 will strive to work collaboratively with the reporting party to validate and collect additional information as necessary. Upon determining the validity of a reported vulnerability, 草榴社区 will share results with the reporting party, to the extent it may do so without risk to end users. These results, depending on the security issue, include whether the report has been accepted or rejected, severity, timelines, resolution, and public disclosure plans. If the reporting party does not agree with the shared results, 草榴社区 will make good faith efforts to address the concerns.
During this process, 草榴社区 will manage all information regarding a reported vulnerability on a confidential basis. Internal distribution is limited to those individuals who have a legitimate need to know and can actively assist in the resolution. 草榴社区, similarly, requires the reporting party to maintain strict confidentiality until the reported vulnerability has been comprehensively remediated.
Although this policy addresses disclosure of vulnerabilities in our products, in the event that a reported vulnerability involves a vendor product, 草榴社区 will notify the vendor directly, coordinate with the incident reporter, or engage a third-party coordination center.
Additionally, if 草榴社区 becomes aware of a vulnerability that does not affect our products/platforms, 草榴社区 will follow our policy for reporting vulnerabilities to vendors.
草榴社区 encourages individuals who report vulnerabilities to evaluate and assign an initial severity using an industry-recognized standard, such as CVSSv3, NIST 800-30 rev1, SSVC, etc. While in the “Analysis” phase, 草榴社区 will take into consideration the reported severity while formulating an official severity. The official severity will be created using CVSSv3 (or another industry recognized standard) and, whenever possible, used with other environmental factors to prioritize remediation/disclosure timelines.?
Given the complexity of security issues in the hardware context this can lead to longer embargo periods than the software industry standard of 90 days. This time can be necessary for 草榴社区’ customers to devise and implement mitigation strategies. In the event that 草榴社区 believes it will take longer than 90 days to release a fix, 草榴社区 will inform the reporting party of this and the extenuating circumstances which necessitate an extended embargo period.
草榴社区 values the efforts of external security researchers, industry organizations, vendors, customers, and other sources who identify security vulnerabilities and responsibly disclose them to 草榴社区 so that fixes can be issued to all customers. While 草榴社区 will not pay bounties or other monetary compensation for reporting vulnerabilities in our products, 草榴社区’ policy is to acknowledge all researchers in the product/platform release notes and/or public disclosures, provided the following conditions are met:
Note: 草榴社区 does not publicly acknowledge 草榴社区 employees or contractors of 草榴社区 and its subsidiaries for vulnerabilities found in 草榴社区 products/platforms.
FIRST.Org, Inc (FIRST) is a non-profit organization based out of the US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.