Panda Security is committed to resolving security vulnerabilities in our products in a quick and efficient manner. We very much appreciate and encourage the collaboration with researchers who report vulnerabilities to us. The following article explains how to report a Panda Security vulnerability to the Panda Security Response Team.
Please follow the responsibility disclosure norms to ensure a safe and successful procedure:
- Notify Panda Security Reponse Team privately
- Only disclose the findings after Panda Security makes the vulnerability and solution public.
- Respect the disclosure coordination procedure. This is vital to avoid attacks.
How to report a security vulnerability
If you are a security researcher and believe you have found a Panda Security security vulnerability, we would like to work with you to investigate it. Please contact the Panda Security Response Team at: [email protected]
The exchange of emails between Panda Security and the investigators must always be encrypted with PGP and GPG in order to protect the confidentiality of vulnerability reports. Find the Panda Security PGP public key here: Panda Security Response Key
To help us better understand the nature and characteristics of the possible vulnerability, please provide us with a detailed Proof of Concept (PoC) and make sure the issue can be replicated. Please, include the information below:
- Product name and version number
- Date the vulnerability was detected
- Description of the vulnerability
- Instructions to replicate the vulnerability (sequence of steps, a video, screenshots, etc.)
- Your name and the company name
- Your contact details (email address, telephone number, anonymous)
- Your PGP or GPG public key to allow for encrypted communication (if available)
The Panda Security Response Team will confirm receipt of your report within two business days. We will work with our teams to verify the finding and respond in a timely manner with an update or request for additional information.
Remediation of the reported vulnerability
If the finding is confirmed as valid, the Panda Security will provide mitigation or remediation of the reported vulnerability accordingly and will keep the reporter informed at all times.
Panda Security thank the security researchers who report vulnerabilities in our products and services for their continuous effort in improving security. In recognition for this, although there isn’t a Bug Bounty system in place, Panda Security wants to acknowledge the efforts and therefore will publish the detail of the vulnerabilitiy reported including a mention of the researcher on the corporate website.