Symantec Vulnerability Response Guidelines

Introduction

Symantec is committed to resolving security vulnerabilities in our products quickly and carefully. We take the necessary steps to minimize customer risk, provide timely information, and deliver vulnerability fixes and mitigations required to address security threats in Symantec software.

As a founding member of the Organization for Internet Safety (OIS), Symantec is committed to following the Responsible Disclosure guidelines developed by OIS and described in ISO 29417 for externally reported vulnerabilities in Symantec products. These guidelines encourage open communication between finders and vendors, clarify responsibilities between parties, and protect individuals, enterprises, and internet infrastructure from exploitation whenever possible. We work closely with researchers who communicate vulnerabilities to us, and we give credit to finders who follow responsible disclosure.

How to report a security vulnerability

If you believe you have found a vulnerability in a Symantec product, cloud service, or IT infrastructure that has not been resolved, please contact Symantec via the email addresses provided below:

  • Vulnerability reports for Symantec on-premise products should be sent to the Symantec Product Security Incident Response Team (PSIRT) at secure@symantec.com.
  • Vulnerability reports for Symantec cloud services and IT infrastructure should be sent to the Symantec GSO Security Operations Center (SOC) at security@symantec.com.

To expedite verification of your finding, please provide the following information in your initial communication with Symantec:

  • Product name and version number, or service name
  • Date the vulnerability was observed
  • Description of the vulnerability
  • Instructions to duplicate the vulnerability (this can be written steps, a video, or a set of screen captures detailing the proof of concept)
  • Your name and company (if applicable)
  • Your preferred contact information (email, phone, anonymous)
  • Your PGP or GPG public key to allow for encrypted communication (if available)

The Symantec PSIRT will confirm receipt of your report within three business days. We will work with internal teams to verify the finding and respond in a timely manner with an update or request for additional information.

PGP key details

We encourage finders to use encrypted communication channels to protect the confidentiality of vulnerability reports. Our PGP public key is available at the following link:

PSIRT PGP Key for secure at symantec.com

Note: Symantec can exchange encrypted email with you using PGP and GPG

Mitigation and remediation of finding

If the submitted finding is confirmed as valid, Symantec will move forward with providing remediation or mitigation of the issue depending on type, severity, and number of impacted products or services. The Symantec PSIRT team will keep the reporter of the vulnerability up-to-date on progress until the issue has been fully addressed.

Additional information and responsible disclosure

During the course of their work, Symantec employees may discover a vulnerability in another vendor's product. Symantec will follow responsible disclosure guidelines for resolving the vulnerability with the involved vendor. Our goal is to be a supportive, responsible member of the security research community. We appreciate the work finders perform on our behalf and it is our goal to facilitate open communication channels with members of the broader security community to ensure a professional and collaborative environment for all parties operating in the broader technical space.

Conclusion

Being the market leader in security technologies, Symantec is committed to addressing and resolving any security vulnerabilities that manifest in our software. We will work with finders to review, validate, and mitigate any security issues that are discovered and we will follow responsible disclosure guidelines to provide assuredness to our customers.