Trend Micro endeavors to develop and release products that meet the highest standards of quality and security. However, there are rare occasions where an unintended vulnerability may be discovered due to various reasons, including new types of exploits that may be developed after the release of a product.
We take and investigate every vulnerability report very seriously and we are committed to thoroughly resolving any issues in a timely manner. Trend Micro follows the guidelines of responsible disclosure to ensure its customers address potential vulnerabilities as quickly as possible to mitigate associated risks.
A Security Vulnerability is defined as a weakness or flaw found in a product or related service component(s) that could be exploited. It may allow an attacker to compromise the product's integrity. At the same time, it may undermine the regular behavior of the product even when properly deployed in supported configuration. This includes situations wherein the confidentiality (e.g. source code) of a product or service component(s) may be negatively affected.
Traditional product bugs and malware can also negatively affect the operation of a product. However, for the purpose of this process, these are not included in the definition of a security vulnerability.
Trend Micro highly recommends that security researchers contact the Trend Micro Product Vulnerability Response Team by sending an email to firstname.lastname@example.org. Submitters are encouraged to utilize Trend Micro’s Product Security PGP key to encrypt sensitive information sent to this address.
A Trend Micro Product Vulnerability Coordinator will acknowledge the receipt of the submission and then begin the process of collaborating with the submitter and Trend Micro product security engineers on validating, reproducing, and ultimately resolving the potential issue if it is confirmed to be a legitimate security vulnerability.
Trend Micro's goal is to resolve confirmed vulnerabilities as quickly and thoroughly as possible, then efficiently distribute the resolution to affected customers. Since each vulnerability is unique, they are addressed accordingly. Ongoing dialog is highly encouraged to best understand the vulnerability and possible risks.
Responsible security researchers understand that customer security is a priority. This means customers are given ample time to deploy the fixes before any findings are released on a public forum, blog, or social media platform.
Emails regarding product vulnerabilities should only be sent to email@example.com. Regular product support, including malware and other threat-related inquiries, should be directed to your region's authorized Trend Micro Technical Support representative.
Trend Micro would like to thank the following security researchers and organizations for working with us to resolve one or more security vulnerabilities in our products and services. The names of individuals or organizations listed below have disclosed one or more security vulnerabilities and have actively worked with Trend Micro engineers to resolve these vulnerabilities.
The names of individuals and organizations appear below with their permission.
Disclosures for 2017
- Gamiel Xavier V. Manbiotanfb.com/Yokairenki
- Himanshu RahiIndividual
- Honc (章哲瑜)firstname.lastname@example.org
- Jolan Saluriafb.com/jlnslr
- Md. Nur A Alam Dipufb.com/nuraalam.dipu2
- Natanmai Deepak Sundararajan(K.L.N.C.I.T)
Disclosures for 2016
- Amine Hmfb.me/AMiN3.HM
- Aniket Pawarbit.ly/1XJetMT
- Armaan Pathanon.fb.me/204Vmgh
- Ashutosh Barotwww.ashutoshbarot.com
- Center of Information Security, Kyrgyzstanhttps://cis.kg
- Emad Abou Shanab(@Alra3ees)fb.me/red.heart.56679
- Evan Ricafort (Invalid Web Security)www.evanricafort.com
- Gregory Draperihttp://bit.ly/2cgn9gk
- Himanshu Mehtabit.ly/2bztlzH
- Iwo Graj (CERT Orange Polska)schain.only.pl
- Jerold Camacho (Invalid Web Security)jeroldcamacho.info
- John Page aka hyp3rlinxhttp://hyp3rlinx.altervista.org/
- Jose Carlos Exposito BuenoResearcher
- Jun KokatsuKDDI Singapore Dubai Branch
- Kamran Saifullah (Ch Mansab Ali)www.C-AtraX.com
- Karim Rahal@KarimPwnz
- Kaushik Roybit.ly/1pHDbCm
- Mansoor Gilalfb.com/mansoor.gilal1
- Muhammad Mudassar Yaminhttp://bit.ly/2eAGhng
- Oliveira Lima JR (@oliveiralimajr)rootlabs.com.br
- Quentin Kaiser@qkaiser
- Sachin Wagh (@tiger_tigerboy)Individual
- SaifAllah benMassaoudGovernment Laboratory & Evolution Security GmbH
- Shawar Khanon.fb.me/1R5Lv4T
- Shehu Awwalwww.shehuawwal.com
- Shivram Chouhanhttp://bit.ly/2fyqZAe
- Spyridon ChatzimichailOTE Hellenic Telecommunications Organization S.A
- Sumit Sahoowww.sumitsahoo.com
- Tayyab Qadirfb.me/tqMr.EditOr
- Travis Emmertbit.ly/1T6Io2Y
- Wayne Low (@x9090)FortiGuard Labs
- YoKo Kho (@yokoacc)Mitra Integrasi Informatika, PT - Consulting & Advisory Svc. Dept.
- Zawad Bin Hafizwww.sekafy.com
Disclosures for 2015
- Ahmed Adel Abdelfattahfb.me/00SystemError00
- Ahmed Jerbion.fb.me/1fwQTTy
- Ali Hassan Ghori@alihasanghauri
- Ali Salem Saeed (Ali BawazeEer)bit.ly/1io8QF9
- Christian Galeonelinkd.in/1UC8gT2
- Jayaram YallaIndividual
- John Page aka hyp3rlinxhttp://hyp3rlinx.altervista.org/
- k.karthickumar (Ramanathapuram)Individual
- Kevin Michael JoensenSecu A/S
- Khair Alhamadhttp://bit.ly/1Q9EC5P
- Konduru Jashwanthon.fb.me/1JUg0rd
- Lawrence AmerIndividual
- Mohamed A. BasetSeekurity Inc.
- Mohamed Chamlion.fb.me/TnMcH
- Mohamed Khaled Fathyfb.me/Squnity
- Nathan YoungE-Secure Australia
- Nithish M. Vargheseon.fb.me/nithish.varghese
- Pradeep Kumaron.fb.me/pradeepch99
- Praveen AnanthojiIndividual
- Ramin Farajpour@MF4rr3ll
- Roberto ZangaIndividual
- Roy JansenIndividual
- SaifAllah benMassaoudon.fb.me/1Mj7Kpq
- Sajibe Kantihttp://eesec.org
- Salman KhanIndividual
- Saurabh Pundiron.fb.me/sauby007
- Shivam Kumar Agarwalon.fb.me/shivamkumar.agarwal.9
- Siddhartha Tripathysg.linkedin.com/in/sidsg
- Sravan KudikyalaIndividual
- Sumit Sahoofb.me/54H00
- Vishwaraj Bhattraion.fb.me/1Q0OmwQ
We would also like to thank the security researchers and organizations who wished not to be listed.
To report a potential security issue with any of Trend Micro Products, refer to this section: Report a Vulnerability.