Coordinated Vulnerability Disclosure
Coordinated Reporting to Minimize Impact
Our security assurance practices adhere to industry best practices for Coordinated Vulnerability Disclosure (CVD). CVD is a process for reducing adversary advantage while a security vulnerability is being mitigated. Intel and much of the tech industry follow a form of CVD, under which a cybersecurity vulnerability is publicly disclosed only after mitigations are available.
CVD pertains to the processes and methods by which vulnerabilities are shared and disclosed. At times, the final date for publication of a Security Advisory may require coordination and collaboration with industry groups, external security researchers, and/or business partners.
We disclose information about security vulnerabilities to stakeholders who can best help us mitigate the vulnerabilities as quickly as possible. We may engage with different stakeholders at different stages throughout the coordinated disclosure process. Intel selects appropriate stakeholders by evaluating applicable factors, such as their capabilities to aid with one or more of the following:
- Analyze and test security vulnerability claims
- Identify needed mitigation and develop such mitigation
- Test and improve mitigation
- Deploy and communicate mitigation
The CVD process helps build a trusted foundation for computing through collaboration with researchers that allows companies to develop mitigations and share findings. The cumulative benefits are broader industry resilience to common weaknesses, more secure products, and heightened public awareness and confidence.