Product Security

The Ampere Security Team proactively searches for and responds to all reported security vulnerabilities on all our products. We are committed to rapidly mitigating security vulnerabilities affecting our products and providing clear guidance to the security community, customers, partners, and end users on the solution, impact, severity and mitigation of any issues. 

Security Bulletins

Product Security Bulletins are listed below. Click on the Title link in the table to view more details.
Bulletin ID Title CVES Published Date Last Updated
AMP-SB-0001 Impact of Spectre BHB on Ampere CVE-2022-25368 3/8/2022 3/8/2022
AMP-SB-0002 Altra SPI-NOR SMC CVE-2022-32295 6/29/2022 6/29/2022
AMP_SB_0003 Platypus CVE-2021-45454 8/11/2022 8/11/2022
AMP-SB-0004 Retbleed CVE-2022-37459 8/11/2022 8/11/2022
AMP-SB-0005 Hertzbleed CVE-2022-35888 8/11/2022 8/11/2022

Reporting a Potential Security Vulnerability

If you have discovered a potential security vulnerability in an Ampere product, please contact the Ampere Security Team at psirt@amperecomputing.com. Please include the following details:
  • The product(s) and version(s) affected
  • Detailed description of the vulnerability including steps necessary to replicate the issue
  • Known exploits
For non-product related security vulnerabilities, please email us at BugBounty@amperecomputing.com

 Ampere treats all security vulnerability information as extremely sensitive and we recommend that all security vulnerability reports sent to Ampere be encrypted using the Ampere PGP key: 
 
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGJZrawBEACxcBCz2vHJAZUEf7adgRAdu7EjvGhcrPcPfuwd0Idtb93U+njg
tsV6Lk3dN6GLnNI/zimRjE3yalXplkvN4Ow4fk05lYpXo1Yx8RuXJjEwjdGl7yS2
nP3apIPifXo8/7OxEhtTrh5F3nz9KcYF8iImjqvCPRpwWybEEgHm5Dj/QRwA5Kp/
NIMADIaOvlhs8HFu2dAx7sRCqQ/VzCnlf516FpONQ4XQylkN7pI0Brj7RQ9W7LvT
lZj38xGTxRiJhMDoasLyuNxcOk6jmcwqHeC0dGAfYzLMXdfbZnRn3KTTZw0rRHJx
ovW8AfvHZ9sAeAm1DMxx8wphdGAmXghGX44YRLEaRiIpSIQJTlHQa4Pm2Rkb+eDE
Nbkj9nO5Pqo4hFfINE37NMXRa68ozY6dd0JLIxUP4KvorS3XjIH4OWQsZTzoPU5M
0AqzEj8662WmJCJb2GP6Wy0QGoABmW4OpLNewMNoI9P2nomPZTqXds+95LCkaPDK
mI+RGD1S7w6skjiDsFrdkRznxqgGrY2Tn7AoUXOEGgi+UZAYlhQdiqZP0uc/W/VQ
VYSNeQle1eNJX3vMMPn7mHa2IWC7/hT8Am9I3+89zNEWT3363fbos1jdPGX/oMnz
qrawcfCn98Eo/YF8LELVY71gA2MUbNjz2I4kPXohWk7mNtnOMSLpq5XmQwARAQAB
tEVBbXBlcmUgUHJvZHVjdCBTZWN1cml0eSBOb3RpZmljYXRpb24gPGl0c2Vydmlj
ZXNAYW1wZXJlY29tcHV0aW5nLmNvbT6JAlQEEwEIAD4WIQQajFFi4fqe0ftZRt/A
wuzeyW0GawUCYlmtrAIbAwUJEs/xXgULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAK
CRDAwuzeyW0GawCID/9ki6l9RJaMJMq00OMO4J3CefpPcONTm6RMKmgKVvNQJ3bX
9p/PLz3vATisfWgyhVQKrNuvVENelAR8s6YzaE1gnyybcWyRRk55v+NjfmkneYf3
m7zL83vNYOtg/88ZWYf16EuK/Ln3v4Ok9jpND8bg5pvZ4XLT4h7FcvZo42+PX0Nv
cirp1i9IE8I8IOB/Um3EA9MesAbdaa2DtMN/IFGqBL6/PuRwxyScjMhq6GY3bPjh
pKTrCwixu6HIAcHksAwCw7kYX4rXGn00ISdjY1nXd11z1LDT5D3aCTU9XGGqEyzH
Fy0HQvmhX/yFi/kNnB+9MAZW+20ecnroBK2qruexhP2OfPTAR8ly1LH7WiTw5g7a
FoC8vHyipN8Sslw4MhLDxpNlgoDf72+BIA5ybAUXAPiBgqrNRdQgvGP5WlRYb4sQ
xgQ3/KrzUZqLC0z38k+GntyZQqFF820LECmLgVlMZUMtvF2AGu4w3lc1+qYP/Zik
4+RKjvNOFziS1KYPWXQO7Qhza62GC116ZnXfsxI9vF9crZgvcjwJrFQUMiHYyIpg
PnIjuFxFla1sIoQgT0zdVo2ZfnWbL+R/qktobF+8dmniR+4yDnEiZip44hXHF7/6
y8IKgRtsCVYZ0VPwLz0bCUS6s1fzBkvJPWvrF9EEiNi9D1qOBV2f3MfoJVrULrkC
DQRiWa2sARAAwGh6WiI8EmvNKnqMNuHHZMwCMd+7tCbaxzif6bpXOD620CMorZD5
noRm3Q64IR7pKw7aogWaAM3bfvU5O/NlFqSF7Ve9yuOI9EM/4/tNTOeAXl0CjnKb
QNNlldZ5XixwPeSY3ROj0tSBnrSkXm8Cv9RcAeSnyezulpIhaW4/QTWu5ZJvi8YE
bsq6A3oF48LO4JmNG5n3vuGnRKHvAv1g7iYpmirNTXpHPq9AF1QFuDC+OIVTX0fN
d3Uj1XAKyxQh6R9577HLlWWOBiDsaa2LAU1HHJtJ35Tx9AWa67aSsezDeOhPaahc
35ZxKKl2G2pilIpGYZt0O7qdhZO1GgF9cZ/oUeEK32Q/qC+M1sBuqMVzej2jiWio
VnFd4pHb7kKf932qD2ULF6r2Y8weEdu4I4rXwdWk6RjkFfFKrzOe3QE12JSKJIQm
mebCpWYPihEoOX7KdQFllozTIHFM8ta7/Cw617ZFQWuLMo3wZHnCb4XTSWo9WX5J
oit7udRfYblsWXPAwJIu3kVks984AGljTgdgs0Y0HyuI+0Ju4ZURZNXTgXUlsC+V
oOYQKODrW+ocN9u6VAr4IfjJ0emOUtI+671mQi/U/naUQiUk9CpPaDHL7FPgli1D
lJxEIO0ML2oqpT7o9GfscUkVxGeQZSJT1CvbHaG/uD7+GZ0GYfQQZLMAEQEAAYkC
PAQYAQgAJhYhBBqMUWLh+p7R+1lG38DC7N7JbQZrBQJiWa2sAhsMBQkSz/FeAAoJ
EMDC7N7JbQZr3y0QAIn46WkC3B5oGZ5RvQ93ioIZG6wAEugy17ATzbp7lvUKz1Kb
fm3crrj6gjNdkTPS2xJ2xpRzSXsNi7Cn8ByJ2ISlPNi6Nf/oR6Xbw9+5/QoGpGIn
Hv36v4MeZIegq18+J2xTLskwaLyxWIanuedgtLvGhIgZZkeUOOTT6LqB7V2uYiwv
osWtM+LSYBvOGYpRFHsyH/DZFF3HBKbP8Nmie8vszKDs89Yuwy91pOSxt+9ojov4
nsiEcuy8lod+LWpxKASbxWTzXdEi2GQuyi+5BIXKO0mvfoo04yUV3HWdWTQy6rCq
ZYl33RD9MxPonT1uFXL4IE2WmKY+CA7c98Ov9RLtxxemOs1UCPtATYX8IgusoDR3
UBqbpNG8OWN8bBitu0514QKmzoHkE5M+jdU9dNvC0irLahReqlaFZO/Ktc4WpLe0
4AmVjhzVsI8JmedrOGdT7NUbhxXBHTGTyOUKSaVGlht1oDrBxDJb9CnhKYlSvCG2
M752ARvgSjif+6DUhu5B+URBY3b0ktR75UYKKxjd2uggwvtR53TUK4lZgOszwq7v
PY0LFmPDwdCOr3P74891eqgGIAlMaduCrOHYKDhj/k/EIe2E68nsNgRxvV66m0j9
fTmixyXN6LlRfR5XfRggxWJbFSEEy1ZRzp0R227clcJ6Y7u0QAmyxfLZJK6s
=ub9j
-----END PGP PUBLIC KEY BLOCK-----
Software and instructions to encrypt messages may be obtained from: 
OpenPGP or GnuPGP
 

Publication of Security Information 

Ampere publishes all security information regarding security vulnerabilities in Ampere products, including any fixes, workarounds or other actions at the Ampere Product Security Center.
Ampere also publishes mitigated vulnerabilities to public bug databases such as CVE.
 

Vulnerability Handling Process

All security vulnerabilities in Ampere products are actively managed through a well-defined process in compliance with the best practices per CVE.org to follow industry standards. The time to mitigate a vulnerability varies based on the scope of the issue.
The process follows these steps: 
  • Discovery: The process begins when the Ampere Security Team becomes aware of a potential security vulnerability in an Ampere product. The reporter receives an acknowledgement and updates throughout the process. 
  • Evaluation: The Ampere Security Team confirms the potential vulnerability, assesses the risk, determines the impact, and scores the issue using CVSS. 
  • Mitigation: The Ampere Security Team works with the product team and partners to develop a solution that mitigates the security vulnerability. In cases where a vulnerability is being actively exploited, Ampere may deliver a temporary solution to contain the issue while working on the complete solution. 
  • Communication: The Ampere Security Team publishes a security advisory at Ampere Product Security Center for fixed issues. Ampere Computing communicates with customers through a variety of methods. Ampere will acknowledge the reporter in the advisory if requested. 

DISCLAIMER

All data and information contained in or disclosed by this document are for informational purposes only and are subject to change.

This page may contain technical inaccuracies, omissions and typographical errors, and Ampere® Computing LLC, and its affiliates (“Ampere®”), is under no obligation to update or otherwise correct this information. Ampere® makes no representations or warranties of any kind, including express or implied guarantees of noninfringement, merchantability or fitness for a particular purpose, regarding the information contained in this document and assumes no liability of any kind. Ampere® is not responsible for any errors or omissions in this information or for the results obtained from the use of this information. All information in this presentation is provided “as is”, with no guarantee of completeness, accuracy, or timeliness.

This page is not an offer or a binding commitment by Ampere®. Use of the products and services contemplated herein requires the subsequent negotiation and execution of a definitive agreement or is subject to Ampere’s Terms and Conditions for the Sale of Goods.

This document is not to be used, copied, or reproduced in its entirety, or presented to others without the express written permission of Ampere®.

The technical data contained herein may be subject to U.S. and international export, re-export, or transfer laws, including “deemed export” laws. Use of these materials contrary to U.S. and international law is strictly prohibited.


© 2022 Ampere® Computing LLC. All rights reserved. Ampere®, Ampere® Computing, Altra and the Ampere® logo are all trademarks of Ampere® Computing LLC or its affiliates. Other product names used in this publication are for identification purposes only and may be trademarks of their respective companies.