In order to drive more secure technology, we need to deeply understand how attacks work. The Advanced Threat Research team does exactly this. When we discover vulnerabilities, we seek to spread the understanding and drive mitigations through coordination with other stakeholders and a coordinated disclosure process. We have worked closely with various industry groups that receive such reports and understand that this can be complicated. Consistent with what McAfee asks regarding vulnerability handling, this document outlines what you can expect from ATR's coordination and disclosure.
Coordinated Disclosure Process
Our initial communications will usually be private and directed toward those who can develop and deploy effective mitigations. This communication includes some key items:
- Disclosure Plan: This outlines our proposed timeline for public disclosure. While each issue merits its own consideration, we usually propose approximately three to six months, depending on complexities such as multi-party alignment or updated infrastructure.
- Vulnerability Description: This is where we explain the technical details of the issue(s).
- Potential Mitigation Options: While we are not aware of all the considerations necessary to completely address issues in non-McAfee products, we try to help by offering some options that could mitigate the issue.
We will attempt to work with reasonable requests to adjust the disclosure timeline. In cases of active exploitation or other threats, however, more rapid disclosure may be needed.
After reaching out to those who are in the best position to mitigate the issue, we will continue to follow up on any discussion. We may check in to see how things are going or review materials to be published according to the disclosure plan.
When coordination is complete and the time for public disclosure has arrived, the ATR team will strive to provide clear technical details with the intent to educate. This will include information about the issues as well as detection and mitigation options that we believe to be available. In doing so, we hope to avoid exaggeration while improving the understanding required to drive more secure technology.
Other Disclosure Policies
- CERT/CC Vulnerability Disclosure Policy
- Vulnerability Handling Guidelines at Intel
- Vendor Vulnerability Reporting and Disclosure Policy at Cisco
- Vulnerability Disclosure Policy at Yahoo
- Google Project Zero: Feedback and Data-Driven Updates to Google’s Disclosure Policy
- Coordinated Vulnerability Disclosure at Microsoft
- Microsoft Vulnerability Research (MSVR)
Please direct any questions to ATR_Vuln@McAfee.com.