PSIRT® - Altera Product Security Incident Response Altera is committed to helping customers maintain secure computing environments. We promptly address security issues and share guidance through security advisories and notices. Security advisories provide fixes or mitigations for confirmed vulnerabilities in Altera® products. How to Report Potential Security Vulnerabilities If you believe you’ve found a security vulnerability in an Altera product or solution, submit reports through the current Bug Bounty program provider, Intigriti , which is the preferred method. Our PSIRT engineers work directly with Intigriti to analyze your submission report. See the Intigriti page for the Altera Bug Bounty program terms and conditions. To contact the Altera Product Security Incident Response Team (PSIRT) directly, email psirt@altera.com . Please encrypt all correspondence using our PGP public key . when sending information about potential security weaknesses or vulnerabilities. Only submissions through Intigriti qualify for consideration for bug bounty rewards. If you’re having trouble encrypting your vulnerability report or have questions about the process, please email PSIRT . We’ll help identify a secure method for transmitting your report. Please note that this email is for security-related issues that affect Altera Products. For general support inquiries, please use the regular support channels. When reporting an issue via email, please provide as much of the following information as possible: Affected Products and Version <List of products potentially impacted including those already shipping and those in development. Please Include versions and download links if possible> Description <Full description of the issue including any impacts to confidentiality, integrity, or availability.> Steps to Replicate/Proof of Concept (POC) <Steps to reproduce the issue should be included and/or any code to trigger the vulnerability> Known Disclosure Plans <Any known disclosure plans> The public PGP key for psirt@altera.com can be downloaded here . Fingerprint: 97B8051032EDFB48F017134185385B2B387B5E05. Expiration Date: 10/28/2028 Altera PSIRT Vulnerability Handling Process The Altera Product Security Incident Response Team (PSIRT) is dedicated to addressing and resolving security vulnerabilities reported in Altera products, including FPGA devices, software tools, FPGA firmware, and FPGA Soft IP. The Altera PSIRT process is based on industry best practices and aligns with CVE.org policies to ensure the transparent and effective management of security issues. Intake and Triage When a potential security vulnerability is reported, the first step is the structured intake and triage process. Submission: Reports are received through our bug bounty program ( Intigriti ) or psirt@altera.com . Acknowledgment: The reporter receives an initial acknowledgment within a few working days of submitting the report. Preliminary Assessment: Intigriti or Altera PSIRT validates the report, ensuring it contains sufficient information (e.g., product, version, detailed description, proof of concept if available). Triage: The issue is reviewed for relevance, impact, and reproducibility. Non-security or out-of-scope reports are filtered out. Severity and Prioritization Analysis Once a vulnerability is confirmed, the PSIRT assesses its severity and determines prioritization for response. Risk Analysis: The team utilizes standardized scoring systems, such as CVSS (Common Vulnerability Scoring System), to assess the vulnerability’s impact, exploitability, and scope. Prioritization: Vulnerabilities are prioritized based on severity, affected products, customer impact, and potential for exploitation. Stakeholder Notification: Relevant internal teams and stakeholders are informed of the vulnerability and its prioritization status. Early Reservation of CVEs: Altera PSIRT will reserve a CVE for the vulnerability if it is within its CNA scope (Altera Products and services). If the security vulnerability involves a third-party component, Altera PSIRT will contact the affected 3rd party, and it might be necessary to transfer the requested CVE handling to them. If the vendor disputes or rejects the issues, further negotiation with our Root-CNA (MITRE) might be required. Communications with the person or entity that reported the security vulnerability: Communications will happen via the Intigriti Platform or by email . For valid reports, the Altera PSIRT team will confirm the validity of the security vulnerability and share the reserved CVE with the reporter. Further details on the expected mitigation and disclosure timelines will also be discussed. Timelines vary depending on the nature of the severity and the production lifecycle of the affected product. For valid reports where the root cause is found on a 3rd party product, Altera PSIRT will continue to coordinate between the 3rd party and the reporter. Altera will not reveal the identity of the reporter to a 3rd party without proper consent. Altera PSIRT will also communicate with the reporter if more details are needed or if the issue is considered invalid. For more information on what Altera considers a security vulnerability, see the Altera Program on the Intigriti Page. Mitigation Planning and Execution The PSIRT coordinates with engineering and product teams to develop, test, and deploy mitigations or fixes. Mitigation Strategy: Options may include software patches, firmware updates, configuration changes, or workarounds. Development: Engineering teams develop and validate fixes, ensuring they address the vulnerability without introducing regressions. Testing: Fixes undergo rigorous quality assurance and security testing. Deployment Planning: Plans are created for releasing updates, including documentation and customer communications. Disclosure Altera PSIRT manages both non-public (NDA) and public disclosure in a coordinated and responsible manner. NDA Disclosure • Impacted customers and partners under Non-Disclosure Agreements (NDAs) may receive early notification and pre-release mitigation guidance. • Coordinated disclosure timing is established to allow affected parties time to implement mitigations. Public Disclosure • Once mitigations are available, Altera PSIRT publishes security advisories on its website under the “Security Advisories” page. • The advisory includes the CVE ID (if assigned), a description of the vulnerability, affected products, mitigation steps, and references to patches or updates. Coordinated Disclosure • Altera is committed to collaborating with vulnerability reporters to coordinate the timing and details of public disclosures whenever feasible. If you intend to publish information about an Altera vulnerability, we encourage you to partner with us to ensure disclosures are synchronized. • Altera is committed to collaborating with vulnerability reporters to coordinate the timing and details of public disclosures whenever feasible. If you intend to publish information about an Altera vulnerability, we encourage you to partner with us to ensure disclosures are synchronized. Altera Security Advisories Subscribe to security advisories email list Altera PSIRT ID Title CVEs Release Date Last Updated ASA-0005 Quartus® Prime Standard Security Advisory CVE-2025-14599 , CVE-2025-14614 , CVE-2025-14625 December 20, 2025 December 20, 2025 ASA-0004 Quartus® Prime Pro Security Advisory CVE-2025-14596 , CVE-2025-14605 , CVE-2025- 14612 December 20, 2025 December 20, 2025 ASA-0003 High Level Synthesis Compiler Security Advisory CVE-2025-13669 , CVE-2025-13670 May 13, 2025 December 20, 2025 ASA-0002 Quartus® Prime Standard Security Advisory CVE-2025-13665 , CVE-2025-13664 May 13, 2025 December 20, 2025 ASA-0001 Quartus® Prime Pro Security Advisory CVE-2025-13663 , CVE-2025-13668 May 13, 2025 December 20, 2025 Historic Altera Security Advisories (Pre 2025) Visit the Altera PSIRT homepage to report vulnerabilities, review security policies, and learn how we protect our FPGA products and platforms. - 2026-03-10