PSIRT

Altera PSIRT Vulnerability Handling Process 

Intake and Triage

When a potential security vulnerability is reported, the first step is the structured intake and triage process.

• Submission: Reports are received through our bug bounty program (Intigriti) or psirt@altera.com.
• Acknowledgment: The reporter receives an initial acknowledgment within a few working days of submission.
• Preliminary Assessment: Intigriti or Altera PSIRT validates the report, ensuring that it contains sufficient information (e.g., product, version, detailed description, proof-of-concept if available).
• Triage: The issue is reviewed for relevance, impact, and reproducibility. Non-security or out-of-scope reports are filtered out.

Severity and Prioritization Analysis 

Once a vulnerability is confirmed, the PSIRT assesses its severity and determines prioritization for response.

• Risk Analysis: The team uses standardized scoring systems such as CVSS (Common Vulnerability Scoring System) to assess the vulnerability’s impact, exploitability, and scope.
• Prioritization: Vulnerabilities are prioritized based on severity, affected products, customer impact, and potential for exploitation.
• Stakeholder Notification: Relevant internal teams and stakeholders are informed of the vulnerability and its prioritization status.

Mitigation Planning and Execution 

• The PSIRT coordinates with engineering and product teams to develop, test, and deploy mitigations or fixes.
• Mitigation Strategy: Options may include software patches, firmware updates, configuration changes, or workarounds.
• Development: Engineering teams develop and validate fixes, ensuring they address the vulnerability without introducing regressions.
• Testing: Fixes undergo rigorous quality assurance and security testing.
• Deployment Planning: Plans are created for releasing updates, including documentation and customer communications.
• CVE Assignment: If applicable, a CVE ID is requested or reserved in accordance with CVE.org policy.

Disclosure

Altera PSIRT manages both non-public (NDA) and public disclosure in a coordinated and responsible manner.

• NDA Disclosure:
  • Impacted customers and partners under Non-Disclosure Agreements (NDAs) may receive early notification and pre-release mitigation guidance.
  • Coordinated disclosure timing is established to allow affected parties time to implement mitigations.
• Public Disclosure:
  • Once mitigations are available and customers have been notified, Altera PSIRT publishes security advisories on its website and/or mailing lists.
  • The advisory includes a CVE ID (if assigned), a description of the vulnerability, affected products, mitigation steps, and references to patches or updates.
  • Altera participates in public vulnerability databases and coordinates with CVE.org to ensure accurate information dissemination.
• Coordinated Disclosure

  • Altera is committed to collaborating with vulnerability reporters to coordinate the timing and details of public disclosures whenever feasible. If you intend to publish information about an Altera vulnerability, we encourage you to partner with us to ensure disclosures are synchronized.

  • Addressing vulnerabilities often involves complex challenges, and a single, fixed timeline for resolution may not be suitable for every situation. Since Altera FPGA devices are frequently integrated into broader supply chains, resolving an issue may require engagement with multiple organizations. In certain cases, mitigation may not be possible for existing devices. Therefore, Altera works closely with partners to allow them adequate time to develop and implement their own patches, mitigation strategies, and disclosures before any public announcement.