Xilinx, now part of AMD is committed to partnering with the security community in the interest of increased product security. We welcome reports from security researchers, industry organizations, government agencies, and vendors regarding product security vulnerabilities.

Response Targets

Xilinx will make a best effort to meet the following response targets for vulnerabilities reported through this program:

• Time to first response (from report submit) - 1 day

• Time to triage (from report submit) - 1 day

We’ll try to keep you informed about our progress throughout the process.

Program Rules

• Please provide detailed reports with reproducible steps.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

• To protect our customers, Xilinx does not publicly disclose or confirm security vulnerabilities until Xilinx has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to Xilinx, you agree to not publicly disclose or share the vulnerability with any third party until Xilinx confirms that the vulnerability has been remediated and you have received written permission from Xilinx to publish information about the vulnerability.

• When submitting a report, you acknowledge you are subject to HackerOne's Disclosure Guidelines (as modified by this Policy regarding disclosure timelines), the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions.

Out-of-Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions.

• Unauthenticated/logout/login CSRF.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Missing best practices in SSL/TLS configuration.

• Any activity that could lead to the disruption of our service (DoS).

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

• Product vulnerabilities with no security impact.

• Brute force attacks.

Legal Notice and Safe Harbor

By submitting a vulnerability report to Xilinx, you grant to Xilinx Inc., its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.

Any activities conducted in a manner consistent with this Policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for participating in the Xilinx Vulnerability Disclosure Program.