McAfee is highly focused on ensuring the security of our customers' computers, networks, devices, and data. We are committed to rapidly addressing issues as they arise, providing recommendations through security bulletins and knowledgebase articles.
To report a finding, please send a detailed email to firstname.lastname@example.org. The email must include the following:
A member from the PSIRT team will reach out to you and assist with working with the internal teams to validate the finding and providing a fix should the finding be valid.
McAfee product or software performance, or subscription issues
Contact support >
Submit a virus sample
Learn more >
Submit a URL for classification, or challenge a classification
Learn more >
Contact McAfee PSIRT
McAfee will not announce product or software vulnerabilities publicly without an actionable workaround, patch, hotfix, or version update; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For vulnerabilities with a lot of media attention, such as HeartBleed, we will post a banner stating our awareness and actions.
To be fair, McAfee discloses product vulnerabilities to all customers at the same time. Large customers typically do not get advanced notice. Advanced notice may be granted by the CISO on a case-by-case basis and only with a strict NDA.
McAfee gives credit to vulnerability discoverers only if:
Organizations, individuals, or both may be identified as discoverers.
All security bulletins must include the CVSS scores for each vulnerability as well as the associated CVSS vectors. The base score is required. Both temporal and environmental scores are optional. Ideally base scores should match the scores assigned by NIST to CVEs.
McAfee’s fix and alert response depends upon the highest CVSS base score.
|Priority (Security)||CVSS Score||Typical Fix Response*|
|P1 - Critical||9.0-10.0 Critical||Hotfix|
|P2 - High||7.0-8.9 High||Update|
|P3 - Medium||4.0-6.9 Medium||Update|
|P4 - Low||0.0-3.9 Low||Version Update|
|P5 - Info||0.0||Will not fix. Informational.|
*Note: The fix response is based upon the severity of the vulnerability, the product lifecycle, and the feasibility of a fix. The typical fix response described above is not a commitment to produce a hotfix, patch, or version update for all supported product versions.
External Communication Mechanisms
McAfee’s external communication mechanism depends upon the CVSS base score, the number of customer inquiries, and the amount of media attention.
|CVSS = 0
|0 < CVSS < 4
|4 ≤ CVSS < 7
|7 ≤ CVSS ≤ 10
|External Disclosure (CVE)*||KB if multiple inquiries, else NN||KB||SB||SB|
|Internal Disclosure||NN||Document in release notes||SB (post-release), Document in release notes||SB (post-release), Document in release notes|
*By default, McAfee does not issue CVEs for issues scoring below 4.0.
For publicly known high-severity vulnerabilities affecting multiple products, a security bulletin may be published with a patch for one product, and then updated later with other patches and descriptions for the other products as they become available.
Security bulletins with multiple vulnerable products will list all products, in the following categories:
Security bulletins are not usually published on Friday afternoons, unless it is a crisis scenario.
Vulnerability vs. Risk Scores
McAfee participates in the industry-standard CVSS vulnerability scoring system. CVSS scores should be considered as a starting point to determine what risk a particular vulnerability may pose to McAfee's customers. The CVSS score should not be confused with a risk rating of the seriousness of vulnerabilities that may occur in McAfee products or the associated runtime environments on which McAfee products execute.
The CVSS base score determines our initial response to a given incident.
Security Bulletins may contain product lists with the following designations: Vulnerable, Not Vulnerable, and Vulnerable, but Low Risk. The list below describes what each of these categories means in terms of potential customer impact: