Vulnerability Reasonable Disclosure Policy

Last updated: 2018-02-28

The McAfee Advanced Threat Research team has a singular focus when it comes to vulnerabilities: to shepherd the company and the security industry through a diverse and evolving set of threats, with the ultimate goal of exposing and reducing the attack surface. This goal cannot be accomplished without trusted partnerships, industry-wide collaboration, and reasonable disclosure of vulnerabilities. As such, the following criteria will serve as a methodology for vulnerability disclosures by McAfee.

  • Our priority is to engage a vendor as quickly as possible when we uncover an undisclosed vulnerability.
  • We will initiate an open dialogue with the affected vendor and provide details, including, when possible, proof of concepts, full exploits, and remediation details.
  • Once a vendor is notified of a vulnerability, there will be a remediation window of up to 90 days for the vendor to provide a patch or other relevant fix for the issue. If the vendor has not responded within 90 days, the vulnerability will be publicly disclosed. If a fix has been issued by the vendor during the 90-day window, the Advanced Threat Research team may speed up disclosure. We may also consider the time required for user application of the vendor mitigation. Our aim is to enable vendors to provide appropriate remediations to affected users while also pushing the industry toward better software practices and faster response to critical security issues.
  • If a vendor has demonstrated good faith, and is actively working with McAfee as well as its internal remediation teams, we may grant an extension of up to 30 days, determined by the Advanced Threat Research team.
  • In the rare case of active exploitation, we may escalate the public disclosure timeline. We will work to communicate clearly with vendors on the disclosure timeline and level of detail in these cases.
  • If another affected vendor is discovered later in the discussions, we will determine if additional time before disclosure is appropriate. Our ability to continue providing this no-cost vulnerability research service is highly dependent on our credibility in the industry. In certain cases, we will publish extensive details and investigative findings to help the security community continue to mature. We believe strongly that this open and collaborative sharing process between McAfee, vendors, and the information security community is essential in today’s ever-changing threat landscape.
  • The Advanced Threat Research team reserves the right to make appropriate exceptions in extreme circumstances.

The following links offer some of the industry’s well-known coordinated disclosure policies for reference:

Please direct any questions to ATR_Vuln@McAfee.com.