Synopsys will investigate all reports for Synopsys products/platforms that are currently supported; accepted reports will be prioritized based on severity and other environmental factors.
Throughout this process, Synopsys will strive to work collaboratively with the reporting party to validate and collect additional information as necessary. Upon determining the validity of a reported vulnerability, Synopsys will share results with the reporting party, to the extent it may do so without risk to end users. These results, depending on the security issue, include whether the report has been accepted or rejected, severity, timelines, resolution, and public disclosure plans. If the reporting party does not agree with the shared results, Synopsys will make good faith efforts to address the concerns.
During this process, Synopsys will manage all information regarding a reported vulnerability on a confidential basis. Internal distribution is limited to those individuals who have a legitimate need to know and can actively assist in the resolution. Synopsys, similarly, requires the reporting party to maintain strict confidentiality until the reported vulnerability has been comprehensively remediated.
Although this policy addresses disclosure of vulnerabilities in our products, in the event that a reported vulnerability involves a vendor product, Synopsys will notify the vendor directly, coordinate with the incident reporter, or engage a third-party coordination center.
Additionally, if Synopsys becomes aware of a vulnerability that does not affect our products/platforms, Synopsys will follow our policy for reporting vulnerabilities to vendors.
Assessing Vulnerability Severity
Synopsys encourages individuals who report vulnerabilities to evaluate and assign an initial severity using an industry-recognized standard, such as CVSSv3, NIST 800-30 rev1, SSVC, etc. While in the “Analysis” phase, Synopsys will take into consideration the reported severity while formulating an official severity. The official severity will be created using CVSSv3 (or another industry recognized standard) and, whenever possible, used with other environmental factors to prioritize remediation/disclosure timelines.
Given the complexity of security issues in the hardware context this can lead to longer embargo periods than the software industry standard of 90 days. This time can be necessary for Synopsys’ customers to devise and implement mitigation strategies. In the event that Synopsys believes it will take longer than 90 days to release a fix, Synopsys will inform the reporting party of this and the extenuating circumstances which necessitate an extended embargo period.
Acknowledgement and Publication
Synopsys values the efforts of external security researchers, industry organizations, vendors, customers, and other sources who identify security vulnerabilities and responsibly disclose them to Synopsys so that fixes can be issued to all customers. While Synopsys will not pay bounties or other monetary compensation for reporting vulnerabilities in our products, Synopsys’ policy is to acknowledge all researchers in the product/platform release notes and/or public disclosures, provided the following conditions are met:
- The reporting party agrees to their name, handle, or other contact details being shared publicly
- The reporting party does not publish the vulnerability prior to Synopsys confirming a comprehensive fix has been released
- The reporting party does not divulge exact details of the issue, for example, exploits or proof-of-concept code
Note: Synopsys does not publicly acknowledge Synopsys employees or contractors of Synopsys and its subsidiaries for vulnerabilities found in Synopsys products/platforms.
FIRST.Org, Inc (FIRST) is a non-profit organization based out of the US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.