Lockheed Martin Vulnerability Disclosure Policy

We take the security of our systems, assets, products, and platforms seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users. If you believe you have found a vulnerability in a Lockheed Martin system, asset, product, or platform, please submit the vulnerability information to Lockheed Martin through a communication method described below.

How to report a security vulnerability?

If you believe you have found a security vulnerability in one of our systems, assets, products, or platforms please send it to us by emailing lockheed.vdp@lmco.com. Please include the following details with your report:

  • Description of (1) the system, asset, product, or platform potential impacted by the vulnerability, (2) potential impact of the vulnerability, and how the potential vulnerability was discovered;
  • A detailed description, in English if possible, of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
  • Your contact information.

All submissions must be made by sending to the email address above.

Lockheed Martin will confirm the receipt of your report within 72 hours of submission.

Guidelines

We require that all researchers:

  • Not to exploit any potential vulnerability beyond the minimal amount of testing required to determine that a vulnerability exists;
  • Not to engage in activity that could potentially harm Lockheed Martin employees, our customers, Lockheed Martin, or any third parties;
  • Notify Lockheed Martin immediately, and halt all activity, if you encounter personal information/personal data;
  • Not to exfiltrate, store, share, destroy, or otherwise compromise any Lockheed Martin, customer, or any third-party data under any circumstances;
  • Not to take any action that can potentially degrade or stop our systems, assets, products, and platforms, e.g. denial of service (DoS/DDoS) testing;
  • When conducting their research activities, they comply with all applicable U.S. and Non-U.S. federal, state, and local laws and regulations;
  • Use the identified communication channels to report vulnerability information to us; and
  • Keep information about any vulnerabilities you have discovered confidential between yourself and Lockheed Martin until we have had minimum 120 days to resolve the issue. Lockheed Martin may extend this period, at its sole discretion, based on the complexity and or scope of the issue.

If you follow the guidelines listed above, Lockheed Martin will not pursue any legal action against you related to your research.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.