Astera Labs Security

Vulnerability Disclosure Policy and Reporting Process

Astera Labs strongly believes in the principles of responsible vulnerability disclosure towards all parties involved. We welcome independent security researchers, vendors, customers, and other sources to responsibly and privately report security to us vulnerabilities affecting our product portfolio.

This policy outlines the recommended procedures for reporting vulnerabilities to Astera Labs, provides guidance to the vulnerability reporters and explains what you can expect once we receive your report.

Note: Astera Labs reserves the right to deviate from this policy whenever it deems, it its sole discretion, that it is appropriate or necessary.

If any concerned party needs to report a potential security vulnerability in any Astera Labs product, please use the below method:

To report a potential security vulnerability in any Astera Labs product and/or technology, please email your report to the Astera Labs Product Security Team at . Please note that Astera Labs subscribes to the Coordinated Vulnerability Disclosure (CVD) model and expects all security researchers who submit reports to do the same. Reports should contain the following information to allow for efficient triage and analysis:

1. Name and version of the affected product or software
2. Detailed instructions to replicate the vulnerability
3. Proof-of-concept or exploit code
4. Description of how the issue was found, the impact and any potential remediation
5. Potential implications of the concern
6. Public disclosure plans

Please note that missing or incomplete information may delay our ability to address the reported vulnerability. Security researchers who submit privately a valid report and adhere to Coordinated Vulnerability Disclosure (CVD) practices may be acknowledged in our published security bulletin. Once we receive the report, you can expect that our security team will confirm receipt, then begin the process of analysis, validation, and implementing corrective measures to resolve the issue. All information received in the report should be expected to be treated with the utmost care and is considered confidential. Such information should be anticipated to be shared only with the relevant stakeholders on a need-to-know basis.

Astera Labs requires adequate time between the initial vulnerability report and public disclosure to ensure thorough analysis and mitigation. Security Bulletins are envisioned to be the primary channel for communicating mitigations or guidance related to newly published CVEs.

In addition, Astera Labs PSIRT may notify customers and partners about potential vulnerabilities even when no CVE has been issued, or to provide updates and additional context on previously disclosed issues for which guidance has already been shared.

Note: The issuance of a Security Bulletin by Astera Labs does not necessarily indicate that any products are affected. Bulletins may also serve to share informational findings with our partners and customers.

The timing of disclosure is expected to be determined on a case-by-case basis, taking into account various factors, including the nature of the issue and the need to protect end users. While some disclosures may follow the standard 90-day embargo period, others may require more time due to factual circumstances, such as the complexity of the ecosystem and the effort needed to develop, integrate, and distribute effective mitigations. In such cases, an extended embargo period may be necessary to allow all stakeholders sufficient time to implement patches.