The McAfee Advanced Threat Research team has a single goal in dealing with vulnerabilities—to shepherd the company and the security industry through a diverse and evolving set of threats, with the aim of exposing and reducing attack surfaces. This goal cannot be accomplished without trusted partnerships, industry-wide collaboration, and reasonable disclosure of vulnerabilities. The following criteria will serve as a methodology for vulnerability disclosures by McAfee.
- Our priority is to engage the affected vendor as quickly as possible when we uncover an undisclosed vulnerability.
- We will initiate an open dialogue with the affected vendor and provide as much detail as we can, including, when possible, proofs of concept, full exploits, and remediation details.
- Once we have notified a vendor of a software vulnerability, we will allow up to 90 days for the vendor to provide a patch or other relevant fix for the issue. If the vendor has not responded within 90 days, we will publicly disclose the vulnerability. If the vendor issues a fix during the 90-day window, the Advanced Threat Research team may bring forward its disclosure. The team may also take into account the time required for customer applications of the vendor mitigation. Our aim is to enable vendors to provide appropriate remediations to affected users while also pushing the industry toward better software practices and faster responses to critical security issues.
- If a vendor has demonstrated “good faith” and actively works with McAfee as well as its internal remediation teams, we may grant an extension of up to 30 days, determined by the Advanced Threat Research team.
- In the rare case of active exploitation, the team may escalate the public disclosure timeline. We will work to communicate clearly on the disclosure timeline and level of detail with vendors in these scenarios.
- If we discover another affected vendor later in the discussions, the Advanced Threat Research team will determine whether to allow additional time before disclosure. Our ability to continue providing best-of-breed vulnerability research is highly dependent on our credibility in the industry. In certain scenarios, the team will publish extensive details and investigative findings to help the security community continue to mature. We believe strongly that this open and collaborative sharing process among McAfee, vendors, and the information security community is essential to reducing the impact of today’s ever-changing threats.
- In unique scenarios, the Advanced Threat Research team reserves the right to shorten or lengthen the disclosure window. We will make every effort to contact the affected parties in this unlikely event.
- For hardware-related disclosures, McAfee recognizes a lengthier disclosure period may be appropriate, given the challenge of providing timely and effective replacement solutions for affected platforms.
- The Advanced Threat Research team will adopt a 180-day disclosure window for vulnerabilities in hardware that require hardware replacement or upgrades to fix. We encourage vendors to provide mitigations sooner.
- Depending on the criticality and ubiquity of any affected hardware, the team will determine the appropriate level of disclosure for the public release of hardware-related vulnerabilities.
Direct any questions to ATR_Vuln@McAfee.com.