By participating in this program, you agree:

• To follow the Intigriti Community Code of Conduct. See “Intigriti Community Code of Conduct.”
• To follow the Intigriti Terms and Conditions. See “Intigriti Terms and Conditions.”
• To follow these Rules of Engagement and adhere to the scope of the Program.
• You will not discuss or disclose vulnerability information with anyone not authorized by Altera without prior written consent from Altera (including PoC's on YouTube, Vimeo, etc).
• You meet the eligibility criteria for this program. See the “Security Researcher and Reporter Eligibility Criteria” section.
• Your submission meets the eligibility requirements for this program. See the “Report Eligibility Criteria” and “Product Eligibility Criteria” sections.
• You will not attempt to access anyone else's data or personal information, including by exploiting a vulnerability. See the “Sensitive and Personal Information” section.
• To have freely given Altera a perpetual license for all information and communications provided through the reporting process. See “Intellectual Property” section.

By participating in this program, Altera agrees:

• To provide reasonable safe harbor to researchers following all Rules of Engagement. See the “Safe Harbor” section.
• To provide named acknowledgment on Alera disclosure(s) that include information provided during the reporting process. See “Intellectual Property” section.
• To award monetary rewards for valuable security research as defined in this program
• To use the current CVSS standard for severity scoring as defined in the Severity Assessment section (below).
• To follow CVE Numbering Authority Rules.

Violating these rules may result in, but is not limited to:

• Revocation of Report eligibility,
• Denial of any or all potential rewards,
• Temporary or permanent revocation of Security Researcher and Reporter eligibility, and
• Removal from current engagements and/or prohibition from future engagement eligibility

Safe Harbor
If you follow the program terms, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. Please understand that this waiver does not apply to your security research that involves the networks, systems, information, applications, devices, products, or services of another party (which is not Altera). We cannot and do not authorize security research in the name of other entities.

Researcher/Reporter Agreements

Product Eligibility Criteria

Altera encourages the reporting of all potential vulnerabilities. Altera branded products and technologies that are maintained and distributed by Altera are eligible for rewards from this program. See the “In Scope” section.

Report Eligibility Criteria

Altera encourages you to submit any report for consideration. For the report to be eligible for bounty award consideration, your report must meet the following requirements:

1. The report and any accompanying material is first sent to Altera.
2. The reported vulnerability is in scope; see the “In Scope” section.
3. The vulnerability you identify must be original, not previously reported to Altera and not publicly disclosed.
4. Reports shall not include any suggestions or recommendations for how to mitigate the vulnerability being reported
5. The report must show that the potential vulnerability has been demonstrated against a currently supported (often the most recent) and publicly available version of the affected product or technology.
6. The report must contain clear documentation that provides information required for the report to be processed.
   1. Minimum:
      • Name and specific version of the Altera product(s) the potential issue may impact
      • How exploiting it may negatively impact confidentiality, availability, and/or integrity of the affected product(s)
      • Instructions that, if followed by the Altera product engineering team, clearly demonstrate successful exploitation of the reported issue on an impacted Altera platform
   2. Recommended Content:
      1. Overview
         1. An overview/summary of the reported issue
         2. Statement of potential impact
         3. Name and specific version of the Altera product(s) the potential issue may impact
      2. Details
         1. Detailed explanation of the reported issue
         2. How it can be exploited
         3. How exploiting it may negatively impact confidentiality, availability, and/or integrity of the affected product(s)
         4. Likelihood of a successful exploit
      3. Proof of Concept (POC)
         1. Instructions that, if followed by the Altera product engineering team, clearly demonstrate successful exploitation of the reported issue on an impacted Altera platform
         2. Information on how any POC code was developed and compiled
         3. Code required to execute the POC
         4. Description of the development environment and operating system revisions
         5. Compiler name, version, options used to compile
      4. Scoring
         1. Proposed CVSS score
         2. Proposed CVSS vector
         3. Justification for the selections (using the stated specification).
         4. Identify the reported Common Weakness Enumeration (CWE) if applicable

The more details provided in the initial report, the easier it will be for Altera to evaluate your report. Omitting Proof-of-Concept or Proof-of-Exploit(ability) from a report may result in the report being ineligible for a bounty or a delay in triage of the report.

Security Researcher and Reporter Eligibility Criteria

All criteria must be met to participate in the Bug Bounty Program.

• You are reporting in your individual capacity or, if you are employed by a company or other entity and are reporting on behalf of your employer, you have your employer’s written approval to submit a report to the Altera® Bug Bounty Program.
• You are at least 18 years of age, and, if considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to reporting.
• You are not a resident of a U.S. (United States) Government embargoed country.
• You are not on a U.S. Government list of sanctioned individuals.
• You are not currently, nor have you been an employee of Intel Corporation, Altera Corporation or an Intel subsidiary, within 6 months prior to submitting a report.
• You are not currently, nor have you been under contract to Intel Corporation, Altera Corporation or an Intel subsidiary, within 6 months prior to submitting a report.
• You are neither a family nor household member of any individual who currently or within the past 6 months meets or met the criteria listed in the two bullet points directly above.
• You agree to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of your finding with Altera.
• You did not and will not access any personal information that is not your own, including by exploiting the vulnerability.
• You did not and will not violate any applicable law or regulation, including laws prohibiting unauthorized access to information. To clarify, Altera does not view testing that is done in compliance with the terms and conditions of this Bug Bounty Program as unauthorized.
• There may be additional restrictions on your eligibility to participate in the bug bounty depending upon your local laws.

Sensitive and Personal Information

Never attempt to access anyone else's data or personal information, including by exploiting a vulnerability. Such activity is unauthorized. If during your research, testing, or communication with Altera you interacted with or obtained access to data or personal information of others, you must:

• Stop your testing immediately and cease any activity that involves the data or personal information or the vulnerability.
• Do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
• Alert Altera immediately and support our investigation and mitigation efforts.

Failure to comply with any of the above will immediately disqualify any report from bounty award eligibility.

Shared Agreements

Intellectual Property

By submitting your content to Altera (your “Submission”), you agree that Altera may take all steps needed to validate, mitigate, and disclose the vulnerability, and that you grant Altera all rights to your Submission needed to do so.
Altera will, to the best of its ability, offer named acknowledgement on any Altera publications which include information provided through the reporting process. For Submissions with multiple collaborators, please ensure all users are included on the report at the time of submission to ensure acknowledgement.
Acknowledgements will utilize the bug bounty platform username only, unless otherwise requested at the time of submission, or anonymity if requested before publication occurs. Limits may apply. Altera will not edit the acknowledged name unless it can be proven to be inaccurate.

See "Report Eligibility Criteria" section.

Hardware:

• Stratix10 family FPGAs
• Agilex family FPGAs

Firmware:

• Device Firmware embedded in the above Hardware elements

Software:

• Quartus Prime Pro (Latest Version).
• Drivers for Altera products (Latest Version), excluding 3rd party Drivers
• Altera owned soft IP delivered through Quartus tool (Software tier only applies) (Latest Version)

Any issues with Quartus and software tools that require high privilege within the development environment to conduct the attack are Out of Scope of Bounty and Bonus Eligibility; This Includes DLL hijacking (aka binary planting/hijacking/preloading) vulnerabilities. They only count for Reputation Eligibility.

End of Life Products

Products which have reached an End of Life (EOL), or End of Service (EOS) status fall out of Scope for bounty rewards, however we request that you report any vulnerabilities to Altera PSIRT for disposition.

Licensed 1st and 3rd Party Products

Altera licensed products, both first- and third-party, are not eligible for rewards of any kind through the Bug Bounty Program. This exclusion only includes components that are specific to the licensed product(s). These are some examples of licensed 1st party products excluded from Scope:

• Questa*-Intel® FPGAs Pro Edition Software
• Arm* Development Studio for Intel® SoC FPGA
• Ashling RiscFree IDE for Intel® FPGAs
• Flexlm License Daemon for Intel® FPGA software

Open-Source Projects

Open-source projects fall out of Scope for bounty rewards. Please contact the open-source project maintainer directly.
Some open-source projects maintained by Altera, request vulnerabilities be submitted to Altera PSIRT. For these projects you may submit a report through the Altera Bug Bounty Program; these reports will not be eligible for rewards. See the project-specific Security.md file for details.
Open-source projects that are solely maintained by Altera are in Scope and vulnerabilities should be submitted to the Altera Bug Bounty Program.

Third-Party Products

Third-party products that do or do not contain Altera branded products or technology fall out of Scope for bounty rewards. However, if the issue is root-caused to an Altera branded product or technology, please submit your report under the appropriate Product type above.

Out of Scope (Ineligible Reports)

Altera encourages the reporting of all potential vulnerabilities. For vulnerabilities out of scope for the Bug Bounty Program please refer to our Vulnerability Handling Guidelines.

General

Any conduct by a security researcher or reporter that appears to be unlawful, malicious, or criminal in nature will immediately disqualify any submission from the program. Do not engage in extortion.

Credentials

Username, password, account identifier, keys, certificates, or other credentials that have been published, leaked, or exposed in some way should be reported to this program to ensure they can be properly investigated, cleaned up, and secured. Credentials are out of Scope for rewards.

Duplicate Reports

Vulnerabilities already known to Altera fall out of Scope and are not eligible for rewards. This includes both internally identified and externally reported vulnerabilities.

Owner-Attacker & Physical Access Attacks

Valid submissions against hardware or firmware weaknesses requiring advanced physical attack technique are out of scope for bounty rewards.
Attacks by the Hard Processor Subsystem (HPS) operating System or hypervisor that are under the customer's control are considered out of scope.

Pre-Release Products

Vulnerabilities in pre-release product versions (e.g., Beta, Release Candidate) fall out of Scope for bounty rewards.

Altera will determine the severity of an issue reported using the following process:

1. The reported vulnerability will be analyzed to determine if there is an actual exploit and if the attack is in-scope. If there is not a path to the compromise of a product security objective, then the issue will be rejected. This step will eliminate from bounty payout any issue that is either outside the scope of the security objectives for the product or that is not exploitable for a range of reasons. For example, a vulnerability may be rejected if there is a defense in depth countermeasure that blocks exploitation.)
2. If not rejected at step 1, the CVSS scoring will be performed by Altera Engineering to determine an initial severity rating.
3. Altera Engineering will then examine the totality of the circumstances that lead to an exploit based on the reported vulnerability including the initial CVSS score, along with an assessment of the actual damage that may occur to Altera or customers because of the exploitation of the vulnerability. Based on this analysis, a final severity rating will be assigned by Altera Engineering that may be higher or lower than the one determined by CVSS.

When will a bounty be awarded? What is the schedule for payment?
Each bug bounty report is individually evaluated based on the technical details provided in the report. Altera follows the processes below to evaluate and determine the severity of a reported potential security vulnerability.

• Vulnerability Assessment – Altera PSIRT ensures that all requested information has been provided for Triage. See the Bug Bounty Reporting section above for a list of required information.
• Triage - A team of Altera product engineers and security experts will determine if a vulnerability is valid, and an eligible Altera product or technology is impacted.
• Vulnerability severity determination – Altera PSIRT works with the Altera product security engineers and Altera security experts to determine the severity and impact of a vulnerability.

Can I earn rewards for a report if I was not the first to report it?
In most cases, no. See “Report Eligibility Criteria” section for the policy statement. To earn a reward, you must be the first person to submit the vulnerability information to Altera. If your report has been flagged as a duplicate (non-original) we will do our best to provide information to you about the original submission to indicate when and how it was submitted. This may include a CVE number, Altera Security Advisory number, ticket identifier and/or date of the original submission.

I sent a vulnerability in an email (PSIRT Direct Contact) before sending it through the Bug Bounty Program. Can I earn a Bounty for it?
In most cases, yes. Rewards can ONLY be offered through the Altera Bug Bounty Program, and NOT through PSIRT Direct Contact. When using the direct contact method, PSIRT will remind you that if you wish to be eligible for a bounty you MUST use the Bug Bounty Program to submit the vulnerability. A time limit will apply to all submissions that request to be transferred. See “Report Eligibility Criteria” section for more details.