Symantec Vulnerability Research

Vulnerability Discovery Process

Symantec Security Consultants, and Symantec Security Response, leaders in technical security expertise and research, may find security vulnerabilities in many types of software during the course of their work.

As a founding member of the Organization for Internet Safety (OIS), Symantec will:
• Contribute these findings to the Internet community by publishing vulnerability advisories through the Symantec Vulnerability Research Team.
• Make a good faith effort to work cooperatively and confidentially with any external software vendors to develop patches, fixes, or mitigation strategies for any vulnerability we discover.
• Coordinate with the vendor to publicly disclose the vulnerability and its associated patch in a responsible manner.

The GPG public key for research@symantec.com is available.

Symantec Vulnerability Research Advisories will be published to the bugtraq mailing list by research@symantec.com and will be archived in the vulnerability database on the SecurityFocus website.

Suggestions for Vendors

Symantec Corporation expects other vendors to keep the needs of customers as their foremost priority, and to adhere to the standards outlined by the OIS. Once a vendor has been notified of the vulnerability in their product, they are expected to work closely and cooperatively with the Symantec Vulnerability Research Team to develop patches in a timely manner.

For more detailed instructions and suggestions, please read "Suggestions for Vendors" in the Responsible Disclosure Policy.

The research@symantec.com email address is intended ONLY for the purposes of communicating with vendors about product vulnerabilities that Symantec personnel have discovered, and for publishing advisories to the bugtraq mailing list. It is not for technical support or virus-related information, nor is it for reporting software vulnerabilities to Symantec.