Trellix and Skyhigh Security care deeply about the security of our products, services, business applications, and infrastructure.

As security researchers ourselves, Trellix and Skyhigh Security understand the importance of investigating and responding to security issues. We also realize that despite our efforts to eradicate security vulnerabilities from our products and services, there will always be emerging threats, new vulnerabilities, and opportunities to improve. To that end, Trellix and Skyhigh Security believe wholeheartedly in embracing the public research community when security issues are discovered and working with security researchers to fix the identified issue and remediate any related or underlying systemic issues to further improve our security posture.

In the interest of protecting our customers, we provide the public research community the opportunity to engage, report, and receive credit for their work. While engaging with us, we ask that reporters honor responsible disclosure principles and processes and give Trellix and Skyhigh Security an opportunity to evaluate, respond, and if necessary, remediate any confirmed security vulnerabilities before public disclosure.

Expectations
When working with us according to this policy, you can expect us to take the following actions:

• Work with you to understand and validate your report, including a timely initial response to the submission.
• Work to remediate discovered vulnerabilities in a timely manner.
• Recognize your contribution to improving our security if you're the first to report a unique vulnerability and your report triggers a code or configuration change.

Compliance
To protect our customers, employees, and business, we request that security researchers maintain compliance with this policy. Trellix or Skyhigh Security considers the submission as noncompliant if the submission is publicly disclosed without express written consent from Trellix or Skyhigh Security. In addition, all research activity must be compliant with the following:

• Don't perform research on Trellix or Skyhigh Security products licensed, owned, or operated by a Trellix or Skyhigh Security customer without their express permission. For example, if you're an employee of a Trellix or Skyhigh Security customer, you can't use your employer's Trellix or Skyhigh Security product for security research without clearing it with the relevant management team at your company (such as the CISO or VP of Security).
• Don't perform social engineering attacks against Trellix or Skyhigh Security employees, customers, partners, or representatives.
• Don't perform physical security attacks against any person or entity.
• Don't perform denial-of-service attacks.

Ground Rules
To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attacks, we ask that you take the following actions:

• Play by the rules. This includes following this policy and any other relevant agreements.
• Promptly report any vulnerability that you've discovered.
• Avoid violating the privacy of others, disrupting our systems or those of our customers or partners, destroying data, or harming user experience.
• Use only the HackerOne platform to submit vulnerability information to us, and only use communication methods approved by us to discuss vulnerability information once submitted.
• Treat all vulnerability information and discussions with us as confidential, and don't disclose any such information or communications to any third party (other than Hacker One), or to the public in general.
• Perform testing only on in-scope systems, and respect systems and activities that are out-of-scope.
• If a vulnerability provides unintended access to data, limit the amount of data that you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information, Personal Healthcare Information, credit card data, or proprietary information.
• You should only interact with test accounts that you own or with explicit permission from the account holder.
• Don't engage in extortion.

Trellix and Skyhigh Security customers are encouraged to use the Trellix and Skyhigh Security Technical Support Portal for issues that aren't vulnerabilities.

Safe Harbor
We consider research conducted under this policy to be:

• Authorized in view of any applicable anti-hacking laws, and we won't initiate or support legal action against you for accidental, good faith violations of this policy.
• Authorized in view of relevant anti-circumvention laws, and we won't bring a claim against you for circumvention of technology controls.
• Exempt from restrictions in our license agreements and any Acceptable Usage Policy that would interfere with conducting security research, and we waive those restrictions on a limited basis, conditioned on compliance with this policy.
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You're expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you've complied with this policy, we'll take steps to make it known that your actions were conducted in compliance with this policy.

We've partnered with HackerOne to handle reports of potential security or vulnerability issues in our products and public websites. You can access the program at https://hackerone.com/Trellix.

In the report, provide the following:

• Contact information (all interaction is through the system)
• Summary of your finding
• Detailed steps to reproduce, including any sample code and screenshots/videos
• Product vulnerabilities
  • Product, version, and operating system
• Website vulnerabilities
  • Browser and version
  • Any disclosure plans

Product or software performance, or subscription issues
Contact Technical Support

Submit a virus sample
KB68030 - Submit samples to Labs for suspected malware detection failure

Submit a URL for classification, or challenge a classification
Trusted Source

Security Bulletins
Security Bulletins are available on our Knowledge Center. View Security Bulletins.

About the Product Security Incident Response Team (PSIRT)
For information about PSIRT, see KB95564 - About the Product Security Incident Response Team (PSIRT)