Vulnerability Management Commitment and Disclosure Policy
Veritas is committed to resolving security vulnerabilities quickly and carefully, culminating in release of a Security Advisory and any needed product update for our customers.
Veritas follows the Responsible Disclosure guidelines developed by the Organization for Internet Safety. These guidelines encourage open communication between finders and vendors, clarify responsibilities between parties, and protect individuals, enterprises, and the internet infrastructure from exploitation whenever possible. We work closely with researchers who communicate vulnerabilities to us, and we give credit to finders who follow responsible disclosure.
At Veritas, vulnerability management begins in Product Development, where we use a variety of secure coding methods and analysis tools to detect and fix vulnerabilities. However, in some cases are not detected, or new types of exploits are designed after we release a product, resulting in potential for security breaches in our customer's environments.
Veritas's position is that we are responsible for disclosing product vulnerabilities to our customers, but in general, no vulnerability should be announced until we have developed and thoroughly tested an update and made it available to licensed customers.
Because our products are complex, interrelated, and used on a variety of hardware under many different configurations, Veritas cannot provide software security updates according to a set timeline. Each issue requires investigation, resolution, localization, and testing appropriate to its complexity. Development teams expedite security fixes as critical defects and will often work round-the-clock to deliver a sound patch if a serious vulnerability is found.
Responsible disclosure guidelines suggest that customers have an obligation to update their systems as quickly as possible, and it is customary to expect updates to be completed within 30 days after we have released a security update. Customers should be aware that those who exploit security systems often do so by reverse engineering published security updates. Therefore, customers need to update promptly.
Responsible security researchers work with the Veritas Software Security team through the email address email@example.com. Responsible finders understand that the customer's security is paramount, so they work with us to make sure the update is available--and customers have had adequate time to deploy the update prior to discussing the vulnerability in public forums or releasing exploit code.
During the course of their work, Veritas employees may discover a vulnerability in another vendor's product. Veritas will follow responsible disclosure guidelines for resolving the vulnerability with the involved vendor. Our goal is to be a supportive, responsible member of the security research community.
If you think you have found a security flaw in a Veritas product, please send all supporting information to firstname.lastname@example.org, using the PGP key posted below to ensure secure communication. Please do not send attachments; they will not be accepted. This address is intended ONLY for reporting product vulnerabilities. For general technical support, please refer to the Support section of our website.
Veritas Vulnerability Manager PGP Key