Veritas is committed to resolving security vulnerabilities quickly and carefully, culminating in release of a Security Advisory and any necessary product update for our customers.
Veritas follows the Responsible Disclosure guidelines developed by the Organization for Internet Safety. These guidelines encourage open communication between finders and vendors, clarify responsibilities between parties, and protect individuals, enterprises and the internet infrastructure from exploitation whenever possible. We work closely with researchers who communicate vulnerabilities to us, and we give credit to finders who follow responsible disclosure.
At Veritas, vulnerability management begins in Product Development, where we use a variety of secure coding methods and analysis tools to detect and fix vulnerabilities. However, in some cases they are not detected, or new types of exploits are designed after we release a product, resulting in potential for security breaches in our customers' environments.
Veritas's position is that we are responsible for disclosing product vulnerabilities to our customers, but in general, no vulnerability should be announced until we have developed and thoroughly tested an update and made it available to licensed customers.
Because our products are complex, interrelated and used on a variety of hardware under many different configurations, Veritas cannot provide software security updates according to a set timeline. Each issue requires investigation, resolution, localization and testing appropriate to its complexity. Development teams expedite security fixes as critical defects and will often work round-the-clock to deliver a sound patch if a serious vulnerability is found.
Responsible disclosure guidelines suggest that customers have an obligation to update their systems as quickly as possible, and it is customary to expect updates to be completed within 30 days after we have released a security update. Customers should be aware that those who exploit security systems often do so by reverse engineering published security updates. Therefore, customers need to update promptly.
Responsible security researchers work with the Veritas Product Security team through the email address secure@veritas.com. Responsible finders understand that the customer's security is paramount, so they work with us to make sure the update is available – and customers have had adequate time to deploy the update prior to discussing the vulnerability in public forums or releasing exploit code.
During the course of their work, Veritas employees may discover a vulnerability in another vendor's product. Veritas will follow responsible disclosure guidelines for resolving the vulnerability with the involved vendor. Our goal is to be a supportive, responsible member of the security research community.