Report A Security Issue
Reporting Security Issues
Mandiant cares deeply about our services, platform, business applications, and infrastructure security. As security researchers ourselves, Mandiant understands the importance of investigating and responding to security issues. We also realize that despite our efforts to eradicate security vulnerabilities from our services and platform, there will always be emerging threats, new vulnerabilities, and opportunities to improve. To that end, Mandiant believes wholeheartedly in embracing the public research community when security issues are discovered and working with security researchers to fix the identified issue and remediate any related and/or underlying systemic issues to further improve our security posture.
In the interest of protecting our customers, we provide the public research community the opportunity to engage, report, and receive credit for their work. While engaging with us, we ask that reporters honor responsible disclosure principles and processes and give Mandiant an opportunity to evaluate, respond, and if necessary, remediate any confirmed security vulnerabilities prior to public disclosure.
When working with us according to this policy, you can expect us to:
- Work with you to understand and validate your report, including a timely initial response to the submission;
- Work to remediate discovered vulnerabilities in a timely manner; and
- Recognize your contribution to improving our security if you are the first to report a unique vulnerability; and your report triggers a code or configuration change
To protect our customers, employees, and business, we request security researchers maintain compliance with this policy. Mandiant will consider the submission as noncompliant if the submission is publicly disclosed without express written consent from Mandiant. In addition, all research activity must be compliant with the following:
- Do not perform research on Mandiant products licensed, owned, or operated by a Mandiant customer without their express permission. For example, if you are an employee of a Mandiant customer, you may not use your employer’s Mandiant product for security research without clearing it with the relevant management team at your company (such as the CISO or VP of Security)
- Do not perform social engineering attacks against Mandiant employees, customers, partners, or representatives
- Do not perform physical security attacks against any person or entity
- Do not perform denial of service attacks
To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that you:
- Play by the rules. This includes following this policy any other relevant agreements;
- Report any vulnerability you’ve discovered promptly;
- Avoid violating the privacy of others, disrupting our systems or those of our customers or partners, destroying data, and/or harming user experience;
- Use only this page (www.mandiant.com/company/security) or the Bugcrowd platform to submit vulnerability information to us, and only use communication methods approved by us to discuss vulnerability information once submitted;
- Treat all vulnerability information and discussions with us as confidential, and do not disclose any such information or communications to any third party (other than Bugcrowd), or to the public in general;
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
- If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
- You should only interact with test accounts you own or with explicit permission from the account holder;
- Do not engage in extortion.
- Mandiant customers are encouraged to use the Mandiant Support Portal for submissions.
We consider research conducted under this policy to be:
- Authorized in view of any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our license agreements and any Acceptable Usage Policy that would interfere with conducting security research, and we waive those restrictions on a limited basis, conditioned upon compliance with this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report to email@example.com before going any further.
This program follows Bugcrowd’s standard disclosure terms.
Please submit your disclosure to firstname.lastname@example.org.