Lockheed Martin Vulnerability Disclosure Program

About Our Effort

We take the security of our systems, assets, products, and platforms seriously, and we value the security community. The disclosure of security vulnerabilities and issues helps us ensure the security and privacy of our users. If you believe you have found a vulnerability in a Lockheed Martin public-facing system, asset, product, or platform, please submit the vulnerability information to Lockheed Martin through a communication method described below.

Frequently Asked Questions (FAQ)

How to report a security vulnerability?

If you believe you have found a security vulnerability in one of our public-facing systems, assets, products, or platforms please send it to us by emailing lockheed.vdp@lmco.com. Please include the following details with your report:

  1. Description of the system, asset, product, or platform potentially impacted by the vulnerability.
  2. Potential impact of the vulnerability, and how the potential vulnerability was discovered.
  3. A detailed description, in English if possible, of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us).
  4. Your contact information.

All submissions must be made by sending to the email address above.

If valid, Lockheed Martin will confirm the receipt of your report within 3 business days of submission.

Is there a reward?

We currently do not financially compensate discoveries or bug bounties.

Can Lockheed Martin employees participate?

This vulnerability disclosure process is intended for use by non-Lockheed Martin employees/contractors.  Lockheed Martin employees/contractors should contact their Business Area Information Security Officer to report any vulnerabilities they discover.

Guidelines

Working With Us

We require that all researchers and reporters:

  • Use the communication channels identified here to report vulnerability information to us.
  • Comply with all applicable U.S. and Non-U.S. federal, state, and local laws and regulations, when conducting their research activities.
  • Halt all activity, and notify Lockheed Martin immediately, if they encounter personal information/personal data.
  • Do not exfiltrate, store, share, destroy, or otherwise compromise any Lockheed Martin, customer, or any third-party data under any circumstances.
  • Do not perform any action that can potentially degrade or stop our systems, assets, products, and platforms, e.g. denial of service (DoS/DDoS) testing.
  • Not to exploit any potential vulnerability beyond the minimal amount of testing required to determine that a vulnerability or issue exists.
  • Not utilize the findings, if reported or validated here, to enumerate or exploit Lockheed Martin, other companies, or individuals.
  • Disengage and avoid activity that could potentially harm Lockheed Martin employees, our customers, Lockheed Martin, or any third parties.
  • Keep information about any vulnerabilities you have discovered confidential between yourself and Lockheed Martin until we have had minimum 120 days to verify and resolve the issue. Lockheed Martin may extend this period, at its sole discretion, based on the complexity and or scope of the issue.

If you follow the guidelines listed above, Lockheed Martin will not pursue any legal action against you related to your research.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through our official channels (lockheed.vdp@lmco.com) before going any further.

Expectations

When working with us according to this policy, you can expect us to:

  • Acknowledge your report in a timely manner.
  • Work with you to understand and validate your report.
  • Address your findings at Lockheed Martin as deemed appropriate by our internal team.
  • Work with you to address broader cybercrime based upon your findings, as appropriate.
  • Maintain an open dialogue to discuss issues.

Safe Harbor

Lockheed Martin considers security research and vulnerability disclosure activities conducted consistent with this policy to be “authorized” conduct under the Computer Fraud and Abuse Act and other applicable computer use laws. To promote disclosure under this policy, Lockheed Martin will not pursue civil or criminal action, or send notice to law enforcement for accidental or good faith violations of this policy. Lockheed Martin, however, has the sole right to make the determination of whether a violation of this policy is accidental or in good faith.

You are expected, as always, to comply with all applicable US and international laws. If research involves information, applications, products, or services of a third party Lockheed-Martin cannot bind that third party, and they may pursue legal action or provide notice to law enforcement. Lockheed Martin does not authorize research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.

Lockheed Martin will review your report and determine if your findings are valid and not previously reported. Public disclosure of the details of any identified or potential vulnerability without express written consent will be considered as noncompliant with our submission guidelines and not protected by our Safe Harbor policies.

Secure Communication

To communicate with us in a verifiably secure manner as necessary, please contact us using PGP. Our fingerprint to verify our messages: 

2F9BE9D2D2F61D83528641407B04B468FED0DCA