Vulnerability Management Commitment
and Disclosure Policy
Symantec is committed to resolving security vulnerabilities quickly and carefully, culminating in release of a Security Advisory and any needed product update for our customers.
Symantec is a founding member of the Organization for Internet Safety and we follow the Responsible Disclosure guidelines developed by OIS. These guidelines encourage open communication between finders and vendors, clarify responsibilities between parties, and protect individuals, enterprises, and the internet infrastructure from exploitation whenever possible. We work closely with researchers who communicate vulnerabilities to us, and we give credit to finders who follow responsible disclosure.
At Symantec, vulnerability management begins in Product Development, where Symantec uses a variety of secure coding methods and analysis tools for vulnerability reduction. Some of our products are additionally certified to Common Criteria standards for security. In some cases, however, vulnerabilities escape detection, or new types of exploits are designed after we release a product, resulting in potential for security breaches in our customer's environments.
Symantec's position is that we are responsible for disclosing product vulnerabilities to our customers, but in general, no vulnerability should be announced until we have developed and thoroughly tested a patch and made it available to licensed customers.
Because our products are complex, interrelated, and used on a variety of hardware under many different configurations, Symantec cannot provide software security patches according to a set timeline. Each issue requires investigation, resolution, localization, and testing appropriate to its complexity. Development teams expedite security fixes as critical defects and will often work round-the-clock to deliver a sound patch if a serious vulnerability is found.
Responsible disclosure guidelines suggest that customers have an obligation to patch their systems as quickly as possible, and it is customary to expect patching to be completed within 30 days after we have released a security update. Customers should be aware that those who exploit security systems often do so by reverse engineering published security updates. Therefore, customers need to patch promptly.
Responsible security researchers work with the Symantec Product Security team through the email address email@example.com. Responsible finders understand that the customer's security is paramount, so they work with us to make sure the patch is available--and customers have had adequate time to deploy the patch--prior to discussing the vulnerability in public forums or releasing exploit code.
During the course of their work, Symantec employees may discover a vulnerability in another vendor's product. Symantec will follow responsible disclosure guidelines for resolving the vulnerability with the involved vendor. Our goal is to be a supportive, responsible member of the security research community.
If you think you have found a security flaw in a Symantec product, please send all supporting information to firstname.lastname@example.org, using the PGP key posted below to ensure secure communication. Please do not send attachments; they will not be accepted. This address is intended ONLY for reporting product vulnerabilities. For general technical support, please refer to the Support section of our website.