Home Vulnerability Disclosure Program
trust-center-ico-5.svg

Vulnerability
Disclosure Program

Help keep Altium secure by responsibly disclosing
any potential vulnerabilities you discover.

Report Vulnerability

Overview

Altium is committed to maintaining the security and integrity of the A365 platform. We actively seek to work with security researchers who identify vulnerabilities in our products and services and are dedicated to addressing valid security concerns in a timely manner.

Response Targets

Altium is committed to timely and responsible handling of vulnerability reports. While resolution timelines may vary based on severity and complexity, Altium will communicate at the following stages:

  • Acknowledgment
  • Triage
  • Resolution

Program rules

Eligibility: 

  • Employees, contractors, or their relatives are prohibited from participating.
  • Participants must not reside in countries or regions subject to U.S. sanctions.

Reporting Requirements:

  • You must be the first to report the vulnerability.
  • Submit one vulnerability per report unless multiple vulnerabilities need to be chained to demonstrate impact.
  • Provide detailed reports with reproducible steps or a working proof of concept (PoC) demonstrating the issue.

Testing Guidelines:

  • Use only accounts you own or accounts with explicit permission from their owners.
  • Do not access data belonging to other users.
  • Do not perform actions that could degrade, disrupt, or destroy data or services.
  • Do not use high-volume scanners or automated testing tools.

Prohibited Activities:

  • Social engineering, including phishing, vishing, smishing, or exploiting human resources, is strictly prohibited.
  • Physical security testing and other non-technical methods of attack are not allowed.
  • Do not publicly disclose a vulnerability before it is resolved.
  • Do not impact other users while testing.

Disclosure

Altium is committed to fostering coordinated vulnerability disclosure and values collaboration with researchers. To protect our users and ensure their security, we request that researchers follow these guidelines when disclosing vulnerabilities:

  • Wait until a fix has been made available and communicated to impacted users.
  • Coordinate public disclosure in good faith with Altium’s security team to minimize risks to users.

Scope

Altium is currently seeking vulnerability reports for supported versions of the following applications and services within the Altium A365 environment:

  • Altium 365 ( any subdomain at *.365.altium.com )
  • Altium Designer
  • Altium Enterprise Server
  • Octopart ( octopart.com )

Out of Scope

  • Reports from automated tools or scans.
  • Path disclosures resulting from error messages.
  • Altium public-facing websites not related to specific products or services, including but not limiting:
    • altium.com
    • resources.altium365.com
    • my.altium.com
    • upverter.com
    • ciiva.com
    • eeconcierge.com
    • valispace.com

Out of Scope vulnerabilities

When reporting vulnerabilities, please focus on issues with a significant security impact. The following issues are generally out of scope for the Altium 365 Vulnerability Disclosure Program:

  • Reports from automated scanning tools.
  • Denial of Service (DoS) or Distributed Denial of Service (DDoS): Avoid techniques that may degrade or disrupt services.
  • Disproportionate or Inadequate Testing Methods: Do not use tools or resources that create unnecessary load on the system solely to prove a vulnerability.
  • Physical Security and Social Engineering: Avoid physical security tests, social engineering (e.g., phishing), and exploiting human resources to find vulnerabilities.
  • Access Beyond Verification: Avoid using vulnerabilities to access or modify data beyond what is necessary to verify the issue.
  • Data Manipulation: Do not delete, alter, or corrupt data as part of your testing.

Common Issues and Recommendations Out of Scope:

  • General Security Misconfigurations: Errors involving HTTP status codes, missing or common security headers (e.g., Strict-Transport-Security, X-Frame-Options), or configurations unrelated to sensitive data.
  • Content Spoofing and Host Header Injection: These are out of scope without an attack vector demonstrating security impact.
  • Publicly Known Files: Exposure of publicly accessible, non-sensitive files or directories (e.g., robots.txt).
  • SSL/TLS Configurations: Minor SSL/TLS configuration issues, such as lack of forward secrecy, weak cipher suites, or missing best practice configurations, unless they directly impact data security.
  • Email Security Configurations: Issues solely related to SPF, DKIM, or DMARC configurations without an impact on Altium 365's security.
  • Deprecated Software Versions: Reports of deprecated software or libraries without known vulnerabilities or clear exploitation scenarios.

These exclusions help to maintain focus on impactful vulnerabilities that pose a real security risk to Altium 365 users and services.

Rewards

Submissions to Altium’s VDP are not by default eligible for monetary rewards. In certain cases, and depending on the severity and impact of the vulnerability, Altium may choose to reward the report in an amount to be defined with the researcher.

Safe harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Privacy Disclosure

By utilizing the HackerOne platform to submit vulnerabilities, you acknowledge and agree to be bound by the HackerOne Privacy Policy, which can be found here: https://www.hackerone.com/policies/privacy. Any third-party platform is subject to its own terms and conditions, as well as its own Privacy Notice. Altium assumes no responsibility for how Hackerone processes, stores, or secures your data.