FireEye

FireEye takes all reports of security issues seriously and investigates and responds to all credible reports. We believe in following responsible disclosure guidelines and ask that reporters give us an opportunity to evaluate, respond, and if necessary, remediate security vulnerabilities before publicly disclosing them.

Contacting FireEye Security

To report a suspected vulnerability that affects a FireEye product, service, website, or other infrastructure, or to report an abuse issue related to FireEye, please contact: [email protected].

Email Encryption Keys

You can use the FireEye Security team's PGP and S/MIME keys to send sensitive information to us privately.

FireEye Vulnerability Disclosure Policy

FireEye encourages all security researchers who discover a security issue with a FireEye product, service, websites, or infrastructure, or who have observed abusive behavior from a FireEye network or other infrastructure to contact us. We will respond to all credible reports in a timely manner, typically within two business days. We ask that while we evaluate the issue, and if necessary, remediate it, you not disclose it publicly for as long as we continue to coordinate with you. We believe this to be the most productive course of action to continue to protect the customers and partners using our products and services to secure their companies. We will indicate when you should expect the next contact from us and we will provide you with estimated timeframes when necessary. You are welcome to request a status update at any time.

If the issue you have reported results in a security fix or bulletin or a fix to a website or infrastructure being implemented, we will credit you for the report in the publication if you would like to be credited.

As a standard practice for protecting our customers, FireEye does not confirm, discuss, or disclose any security issue or vulnerability until a fix has been released on all affected products, or implemented in the service(s), website(s), or infrastructure. There may be exceptions that occur from time to time if circumstances dictate. When these exceptions arise, FireEye will release pertinent information so that a customer (or other affected user) can determine the best course of action to mitigate risk in their environment. This may include the general area of the vulnerability, a severity rating (or other scoring mechanism), recommendations for compensating controls, appropriate CVE numbers when available, and general best practice recommendations. It will not, however, include or reference specific information to enable exploitation of the vulnerability.

FireEye management takes great care when making any decision to publicly disclose vulnerabilities prior to availability of a full fix and carefully considers the impacts to the companies protected by FireEye products and services. In all cases, the guiding principle is to act swiftly to ensure FireEye continues to provide the critical protection that our customers and partners rely on for their own security.