Coordination and Disclosure Process

Last updated: 2016-04-12

In order to drive more secure technology, we need to deeply understand how attacks work. The Advanced Threat Research team does exactly this. When we discover vulnerabilities, we seek to spread the understanding and drive mitigations through coordination with other stakeholders and a coordinated disclosure process. We have worked closely with various industry groups that receive such reports and understand that this can be complicated. Consistent with what McAfee asks regarding vulnerability handling, this document outlines what you can expect from ATR's coordination and disclosure.

Coordinated Disclosure Process
Our initial communications will usually be private and directed toward those who can develop and deploy effective mitigations. This communication includes some key items:

  • Disclosure Plan: This outlines our proposed timeline for public disclosure. While each issue merits its own consideration, we usually propose approximately three to six months, depending on complexities such as multi-party alignment or updated infrastructure.
  • Vulnerability Description: This is where we explain the technical details of the issue(s).
  • Potential Mitigation Options: While we are not aware of all the considerations necessary to completely address issues in non-McAfee products, we try to help by offering some options that could mitigate the issue.

We will attempt to work with reasonable requests to adjust the disclosure timeline. In cases of active exploitation or other threats, however, more rapid disclosure may be needed.

Follow Up
After reaching out to those who are in the best position to mitigate the issue, we will continue to follow up on any discussion. We may check in to see how things are going or review materials to be published according to the disclosure plan.

Public Disclosure
When coordination is complete and the time for public disclosure has arrived, the ATR team will strive to provide clear technical details with the intent to educate. This will include information about the issues as well as detection and mitigation options that we believe to be available. In doing so, we hope to avoid exaggeration while improving the understanding required to drive more secure technology.

Other Disclosure Policies