Cylance Product Security

Cylance® Supports Responsible Disclosure…

Cylance® encourages researchers to follow responsible disclosure procedures when reporting security issues in our products, services, websites, or infrastructure. Cylance is committed to engaging with the research community in a positive, professional, mutually beneficial manner that protects our customers.  


The Cylance® Security Response Team strives to:

  • Respond in a timely manner
  • Keep reporting parties apprised of progress
  • Notify reporting parties when the issue has been addressed
  • Treat researchers honestly, fairly, and with respect.


As a standard practice for protecting our customers, Cylance® will not confirm, discuss, or disclose any security issue or vulnerability until a fix has been released on all affected products, or implemented in the service(s), website(s), or infrastructure except with the reporting researchers and our vulnerability reporting service, HackerOne.


Reporting a Vulnerability

Cylance®, in partnership with BugCrowd and HackerOne, is committed to working with researchers who adhere to responsible disclosure in a respectful engaged manner to quickly address security vulnerabilities.


If you have information about a vulnerability with a Cylance® product, service, website or infrastructure, please contact us through either of our bug bounty programs hosted on:


Cylance is committed to awarding researcher equally regardless of the platform they chose to use.
We will, however, only pay for first discovery once between platforms.

Security issues (active compromise or attacks) should be reported to Cylance® directly at: Please refrain from sending sensitive details in the initial email; we will send you a PGP key to use in follow-up communications.


Out of Scope for

The Cylance® security team is dedicated and focused on improving the security of Cylance products and services.  We appreciate any submissions but ask that you use address only for direct security issues in Cylance® products or services.  Some examples of things we do not directly handle include:

  • When you are asking for help in applying upgrade packages that have been distributed because of security alerts.
  • When you are reporting a vulnerability in another vendor's products, or requesting information regarding a vulnerability in another vendor's products.


If you are looking for general support, please engage with our support team: