FireEye cares deeply about our products, services, business applications, and infrastructure security. As security researchers ourselves, FireEye understands the importance of investigating and responding to security issues. We also realize that despite our best efforts to eradicate security vulnerabilities from all products and services we build, infrastructure and applications we leverage, there will always be emerging threats, new vulnerabilities, and opportunities to improve. To that end, FireEye believes wholeheartedly in embracing the public research community when security issues are discovered and working with security researchers to fix the identified issue and remediate any related and/or underlying systemic issues to further improve our security posture.
In the interest of protecting our customers, we provide the public research community the opportunity to engage, report, and receive credit for their work. While engaging with us, we ask that reporters honor our responsible disclosure policy and process and give FireEye an opportunity to evaluate, respond, and if necessary, remediate any confirmed security vulnerabilities prior to public disclosure.
FireEye encourages researchers to report security issues in FireEye products, services, websites, or infrastructure. FireEye has five main stages to our responsible disclosure process: 1) initial triage 2) fix development/remediation 3) customer release and fix availability 4) 90-day customer grace period 5) disclosure and notification.
Upon receipt of the report, the researcher will be contacted by email while FireEye conducts initial triage and analysis of the issue (stage 1). Initial triage is generally completed in one week or less, and varies depending on the product and service. Once triage is completed, if there is an issue requiring a fix, FireEye will provide confirmation of the issue and will begin the fix development/remediation process (stage 2). During this stage, FireEye will assign notation (vulnerability title, internal notation, or Common Vulnerability and Exposures (CVE) number) for externally reported or publicly known security vulnerabilities in FireEye products for reference. While there are multiple factors affecting our time for fix availability such as issue complexity, severity of issue, and 3 rd party vendor dependency, FireEye generally releases fixes in a period of 30-90 days. Once a fix is available, FireEye will provide information only to our customers about fix availability encouraging them to download and apply the fix to their systems/assets (for those assets that depend on customer application of the fix) (stage 3). This communication will inform FireEye customers of fix availability and any recommended mitigations, where available. At this time, FireEye will not disclose detailed information about the issue as it pertains to the researcher until 90 days from the date of the fix being available on all of our impacted products, implemented in the service(s), website(s), or infrastructure (stage 4). We ask that researcher also honor this 90 day grace period of non-disclosure time as a courtesy to our customers so that they have sufficient time to apply the fix and update their systems. For our products where customer telemetry is available, FireEye will continue to monitor customer update status and work with our Customer Support team to continue to notify our customer base of the disclosure timeframes, and urge them to update as the 90-day disclosure period draws near. At the close of the 90 day period, or sooner, FireEye will issue an advisory and disclosure in the form of release notes or security notices with additional information about the security issue and will provide credit to the researcher who discovered the issue (stage 5) where our responsible disclosure policy has been followed. If the researcher does not desire public recognition, we request that the researcher please indicate that to us during initial communication.
FireEye will remain in contact with the researcher throughout all stages of the process. As a standard practice for protecting our customers, FireEye does not confirm, discuss, or disclose any security issue or vulnerability until a fix has been released on all affected products, or implemented in the service(s), website(s), or infrastructure. Likewise, FireEye requests researchers not disclose any information about the finding publicly or otherwise during this time while FireEye evaluates, remediates, and deploys fixes to customers, per the policy. FireEye believes this to be the most productive course of action to continue to protect customers and partners using our products and services to secure their companies and those leveraging our infrastructure and applications to run FireEye.
During the communication and disclosure process, FireEye will indicate when the next contact will occur and when necessary, estimated timeframes. Researchers may request status updates at any time.
We thank you in advance for your participation, willingness, and assistance to improve the security of our products and help us continue to protect our customers.