Symantec is committed to responsible disclosure. We believe that it is the best way we can serve our customers and do our part to protect the Internet community.
As a sign of our commitment, Symantec provides the Responsible Disclosure Policy to address vulnerabilities that our consultants find in other vendors' products.
Report a Vulnerability in a Symantec Product
Symantec Security Consultants, and Symantec Security Response, leaders in technical security expertise and research, may find security vulnerabilities in many types of software during the course of their work.
The GPG public key for research@symantec.com is available.
Symantec Vulnerability Research Advisories will be published to the bugtraq mailing list by research@symantec.com and will be archived in the vulnerability database on the SecurityFocus website.
Symantec Corporation expects other vendors to keep the needs of customers as their foremost priority, and to adhere to the standards outlined by the OIS. Once a vendor has been notified of the vulnerability in their product, they are expected to work closely and cooperatively with the Symantec Vulnerability Research Team to develop patches in a timely manner.
For more detailed instructions and suggestions, please read "Suggestions for Vendors" in the Responsible Disclosure Policy.
The research@symantec.com email address is intended ONLY for the purposes of communicating with vendors about product vulnerabilities that Symantec personnel have discovered, and for publishing advisories to the bugtraq mailing list. It is not for technical support or virus-related information, nor is it for reporting software vulnerabilities to Symantec.
