Report a Potential Security Vulnerability

NortonLifeLock’s commitment to information security

Note: For LifeLock account-related issues, such as an alert that you received or problems accessing your account, please use our Member Support Center.

For Norton product issues please visit the Norton Products Support Page.

To report security issues with NortonLifeLock products, please see the information below:

Digital security threats continue to evolve and we welcome the responsible disclosure of potential bugs, security issues, or vulnerabilities to improve our security risk posture. To report a technical security issue, such as a vulnerability, please email security@nortonlifelock.com.

 

Introduction

NortonLifeLock is committed to resolving security vulnerabilities in our products quickly and responsibly. We take the appropriate steps to minimize customer risk, provide timely information, and deliver vulnerability fixes and mitigations to address security threats to NortonLifeLock product offerings.

NortonLifeLock is committed to following the Responsible Disclosure guidelines developed by OIS and described in ISO 29417 for externally reported vulnerabilities in NortonLifeLock products. These guidelines encourage open communication between researchers and vendors, clarify responsibilities between parties, and protect individuals, enterprises, and internet infrastructure from exploitation whenever possible. We work closely with researchers who communicate vulnerabilities to us.

 

How to report a security vulnerability

To report a security vulnerability that impacts NortonLifeLock products or services, please send an email to security@nortonlifelock.com.

To expedite verification of your finding, please provide the following information on your initial communication:

  • Product name and version number, service name or URL
  • Date the vulnerability was observed
  • Description of the vulnerability
  • Location of the vulnerability (e.g. URL, domain, etc.)
  • Instructions to duplicate the vulnerability (this can be written steps, a video of screen captures detailing proof of concept, etc.)
  • Your name and company (if applicable)
  • Contact information

NortonLifeLock PSIRT will confirm receipt of your report within three business days. We will work with internal teams to verify the finding and respond in a timely manner with an update or a request for additional information.

 

Mitigation and remediation of findings

If the submitted vulnerability is confirmed as valid, NortonLifeLock will move forward with providing remediation or mitigation of the issue depending on the type, severity, and impact.

 

Additional Information and Responsible Disclosure

During the course of their work, NortonLifeLock employees may discover a vulnerability in another vendor's product. NortonLifeLock will follow responsible disclosure guidelines for resolving the vulnerability with the involved vendor. Our goal is to be a supportive, responsible member of the security research community. We appreciate the work researchers perform on our behalf and it is our goal to facilitate open communication channels with members of the broader security community to ensure a professional and collaborative environment for all parties operating in the broader technical space.