Welcome to Trellix and Skyhigh Security(formerly McAfee Enterprise products and FireEye products).

At Trellix and Skyhigh Security, we look forward to working with you to keep our products and Customers safe and secure. If you believe you’ve found an issue with our web presence or products, we would like you to report them to us. Our security team reviews and acts upon all vulnerability reports per responsible disclosure and criticality. We aim to respond to all reports within five business days. As we work through the reports, we will keep you updated and aim to resolve the report as quickly as possible.

If you are a McAfee home user, please visit the McAfee support site at https://www.mcafee.com/en-us/consumer-corporate/mcafee-labs/product-security-bulletins.html.

Please read on if you wish to report a security vulnerability in a Trellix or Skyhigh Security product.

Eligibility and Disclosure Policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

Follow HackerOne's disclosure guidelines with these Trellix-specific changes:

Vulnerability disclosure

• Our default target resolution is 90 days from the confirmation date of a valid report before the report may be made public without objection of either party.
• some vulnerabilities may require longer than 90 days to remediate due to complexity and other factors.
• We seek to avoid triggering the ‘Last resort’ clause in all cases.

Public recognition

• We will not publicly acknowledge the reporter if any part of the vulnerability report is made public before publication of our Security Bulletin or other Customer-facing documentation.
• We do not usually issue CVE for product vulnerabilities rating below 4.0 using CVSS v3.

Bug Bounty

• We are not offering a bug bounty
• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact. Please provide detailed reports with reproducible steps.

Program Rules

• Social engineering (e.g., phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
• When reporting vulnerabilities, please consider (1) the attack scenario/exploitability and (2) the security impact of the bug.

Websites - scope

The following are OUT OF SCOPE

• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout/login CSRF.
• Attacks requiring MITM or physical access to a user's device.
• Use of automated tools that could generate significant traffic and possibly impair the functioning of our application
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Issues experienced in end-of-life and no longer supported Web Browsers Products - scope

---

Any products or tools that are end of life and no longer supported are OUT OF SCOPE.

• To see if our Products are supported - https://supportm.trellix.com/webcenter/portal/supportportal/pages_knowledgecenter?s=true&lang=en-us&sm=false&tab=SCtdl&facets=End+of+Life+Notices@ZFACET_SEARCH_CATEGORIES&sb=mostRecent&sbv=Date&scps=q

Safe Harbor

Activities consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If a third party initiates legal action in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Trellix, Skyhigh Security, and our users safe!