Xilinx, now part of AMD is committed to partnering with the security community in the interest of increased product security through this Bug Bounty Program. We welcome reports from security researchers, industry organizations, government agencies, and vendors regarding product security vulnerabilities.

Consider submitting a report to Xilinx Vulnerability Disclosure Program for out-of-scope vulnerabilities.

Response Targets

Xilinx will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit) - 1 business day

• Time to triage (from report submit) - 1 business day

• Time to bounty (from triage) - 14 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent from Xilinx.

• Xilinx reserves the right to approve or deny disclosure requests on a case-by-case basis.

Program Rules

• When reporting vulnerabilities, please consider: (1) the attack scenario / exploitability, and (2) the security impact of the bug.

• Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• To be eligible for bounty award the vulnerability must pertain to an area in scope listed in the section titled "In Scope" below.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to demonstrate impact of the reported chain of vulnerabilities.

• When multiple reports pertain to the same vulnerability, only the first report received (provided that it can be fully reproduced) will be eligible for the award.

• Multiple vulnerabilities caused by a single underlying issue will be eligible for a single bounty award.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• To protect our customers, Xilinx does not publicly disclose or confirm security vulnerabilities until Xilinx has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to Xilinx, you agree to not publicly disclose or share the vulnerability with any third party until Xilinx confirms that the vulnerability has been remediated and you have received written permission from Xilinx to publish information about the vulnerability.

• When submitting a report, you acknowledge you are subject to HackerOne's Disclosure Guidelines (as modified by this Policy regarding disclosure timelines), the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Rewards

Our rewards are based on severity per CVSS 3.0 calculator to get a base score. The final severity may be adjusted to reflect the impact of the reported vulnerability on the product. Please note these are general guidelines, and all reward decisions are made at the discretion of Xilinx and final.

Out of scope vulnerabilities

The following issues are considered out of scope:

• Vulnerabilities pertaining to any Xilinx products except those listed in the section titled "In Scope" below. Examples of out of scope products include, but are not limited to, BootROM, u-boot, FSBL, PetaLinux, Xilinx owned/operated web-sites, Xilinx silicon, hardware accelerators, and QEMU used for security.

• Xilinx does not control the design of RSA, AES and SHA standards. Therefore, any design flaws in RSA, AES and SHA standards is out of scope, and we cannot fix it until the governing standard recognizes and fixes the issue.

• Known issues published before your disclosure on Xilinx web-site in form of design advisories, known issues, answer records (AR), user guide, and constraints.

• Security issues identified and disclosed by other hackers before your disclosure.

• Security issues without a clearly defined impact on the security of the system.

• Theoretical issues without concrete evidence or practical impact on security.

• Brute force attacks.

• Issues that do not impact security.

You must meet all the requirements below to be eligible to participate:

• You are reporting in an individual capacity. If you are employed by another company and are participating within the scope of your employment, you must have your employer's written approval to submit a report.

• You are at least 18 years of age, and, if considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to reporting.

• You are not a resident of a US-embargoed country.

• You are not on a US list of sanctioned individuals.

• You are not an employee, contractor or vendor who currently works, or worked within one year prior to submitting a report, for Xilinx or a Xilinx affiliate.

• You are not a family or household member of someone meeting the criteria stated in the step immediately above.

• You are not an employee, contractor, or vendor who currently works, or worked within one year prior to submitting a report, for a Xilinx business partner associated with any asset listed in scope of this bug bounty program.

Legal Notice and Safe Harbor

By submitting a vulnerability report to Xilinx, you are confirming that you are at least 18 years of age and are not considered a minor in your place of residence.

By submitting a vulnerability report to Xilinx, you grant to Xilinx Inc., its subsidiaries, and its affiliates a perpetual, irrevocable, no-charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.