Intel Security (formerly McAfee) is highly focused on ensuring the security of our customers' computers, networks, devices, and data. We are committed to rapidly addressing issues as they arise, and providing recommendations through security bulletins and knowledgebase articles.Submit a Virus Sample Contact Technical Support Contact PSIRT
If you have information about a security issue or vulnerability with a McAfee / Intel Security product, please send an email to firstname.lastname@example.org and CC PSIRT@IntelSecurity.com. Encrypt sensitive information using Intel's PGP public key.
Please provide as much information as possible, including:
A member of the McAfee Product Security Group (PSG) and/or Product Security Incident Response Team (PSIRT) will review your email and contact you to collaborate on resolving the issue.Triage
Externally reported product vulnerabilities are handled by the McAfee Product Security Group. For other issues, please contact one of the teams below:
Externally reported IT application and web application vulnerabilities are handled by McAfee Global Security Services’ (GSS) Security Operations Center (SOC).
IT application or web vulnerability
McAfee Security Operations Center (SOC)
Phone: +1 972-987-2745
External queries on performance of currently shipping products are handled by McAfee Technical Support.
Product or software performance, or subscription issue
McAfee Technical Support
Virus and malware samples are handled by McAfee Labs.
Submit a virus sample
Contact Intel Security/McAfee PSIRT
Phone: +1 408-753-5752
Intel Security will not announce product or software vulnerabilities publically without an actionable workaround, patch, hotfix, or version update; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk.
Intel Security discloses product vulnerabilities to all customers at the same time. Large customers typically do not get advanced notice. Advanced notice may be granted by the PSG on a case-by-case basis and only with a strict NDA.
Intel Security gives credit to external vulnerability discoverers only if:
Organizations, individuals, or both may be identified as discoverers.
All security bulletins must include the CVSS scores for each vulnerability as well as the associated CVSS vectors. Both base and temporal scores are required. Base scores should match the scores assigned by NIST to CVEs.
Support Notification Service (SNS) Message
A Support Notification Service (SNS) message, notice, or alert is required for all security bulletins. This is a service that Intel Security Enterprise Support customers rely upon as well as other customers.
To subscribe to SNS text alerts, go to the SNS Request Center and “Create a New Account.”
Intel Security’s fix and alert response depends upon the highest CVSS base score.
|Priority (Security)||CVSS v2 Score||Typical Fix Response||SNS|
|P1 - Critical||8.5-10.0 High||Hotfix||Alert|
|P2 - High||7.0-8.4 High||Patch||Notice|
|P3 - Medium||4.0-6.9 Medium||Patch||Notice|
|P4 - Low||0.0-3.9 Low||Version Update||Optional|
|P5 - Info||0.0||Will not fix. Informational.||NA|
External Communication Mechanisms
Intel Security’s external communication mechanism depends upon the CVSS base score, the number of customer inquiries, and the amount of media attention.
|CVSS = 0|
|0 < CVSS < 4|
|4 ≤ CVSS < 7|
|7 ≤ CVSS ≤ 10
|External Disclosure (CVE)||KB if multiple inquiries, else NN||KB||SB, SNS||SB, SNS|
|Customer Disclosure||SS||SS||SB, SNS||SB, SNS|
|Internal Disclosure||NN||NN||Document in release notes||SB
For publicly known high- severity vulnerabilities affecting multiple products, a security bulletin may be published with a patch for one product, and then updated later with other patches and descriptions for the other products as they become available.
Security bulletins with multiple vulnerable products will list all products, enterprise and consumer, in the following categories:
Security bulletins are not usually published on Friday afternoons, unless it is a crisis scenario.
Vulnerability vs. Risk Scores
Intel Security participates in the industry-standard CVSS vulnerability scoring system. CVSS scores should be considered as a starting point to determine what risk a particular vulnerability may pose to Intel Security's customers. The CVSS score should not be confused with a risk rating of the seriousness of vulnerabilities that may occur in Intel Security/McAfee products or the associated runtime environments on which Intel Security products execute.
Starting with the CVSS score, Intel Security uses "Just Good Enough Risk Rating" (JGERR) to rate the risk of any potential issue that may impact Intel Security products. JGERR became a SANS Institute Smart Guide in 2012. JGERR is based upon "Factor Analysis of Information Risk" (FAIR), an Open Group standard. When rating risk with JGERR, additional factors such as the presence and activity of threat agents, attack vectors, exposure of a vulnerability to threat agents, the ease or difficulty of exploiting the vulnerability, and any impacts from exploitation are all factored into the risk analysis. Vulnerability in isolation is just one aspect of an Intel Security risk rating.
The CVSS base score determines our initial response to a given incident. The Intel Security risk rating determines how quickly we deliver a patch or update.
Security Bulletins may contain product lists with the following designations: Vulnerable, Not Vulnerable, Vulnerable but Not Exploitable, and Vulnerable, but Low Risk. The list below describes what each of these categories means in terms of potential customer impact: