Vulnerability Handling Guidelines
The Intel Product Security Incident Response Team (iPSIRT) proactively searches for and responds to reported security vulnerabilities in Intel products. Working with members of the security community, customers and end users, the iPSIRT works to best ensure that security vulnerabilities affecting Intel production products are documented and solutions are released in a responsible fashion. Intel is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity and mitigation.
Reporting a Potential Security Vulnerability
If you have discovered potential security vulnerability in an Intel product, please contact the iPSIRT at email@example.com. It is important to include the following details:
- The products and versions affected
- Detailed description of the vulnerability
- Information on known exploits
Vulnerability information is extremely sensitive. The iPSIRT strongly recommends that all security vulnerability reports sent to Intel be encrypted using the iPSIRT PGP key. The PGP key is available here.
Software to encrypt messages may be obtained from:
• PGP Corporation
Publication of Security Information
The iPSIRT publishes two types of security information at the Intel Product Security Center.
Security Advisories: Provide information about security vulnerabilities identified with Intel products, including any fixes, workarounds or other actions.
Security Notices: Provide information of general interest about security topics related to Intel products or the use of Intel products.
Vulnerability Handling Process
Security vulnerabilities in Intel products are actively managed through a well-defined process. The time to respond varies based on the scope of the issue. The process consists of 4 key steps:
Reporting: The process begins when the iPSIRT becomes aware of a potential security vulnerability in an Intel product. The reporter receives an acknowledgement and updates throughout the handling process.
Evaluation: The iPSIRT confirms the potential vulnerability, assesses the risk, determines the impact and assigns a processing priority. If the vulnerability is confirmed, the priority determines how the issue is handled throughout the remaining steps in the process.
Solution: Working with the product team, the iPSIRT develops a solution that mitigates the reported security vulnerability. Solutions will take different forms based on the vulnerability. In cases where a vulnerability is being actively exploited, Intel may deliver a temporary solution to contain the issue while working on the full solution.
Communication: The iPSIRT publishes a security advisory for severe issues. Less severe issues are communicated through other methods. Advisories are published at the Intel Product Security Center and released simultaneously to all customers. For previously unknown or unreported issues, Intel will acknowledge the reporter in the advisory if requested.
Intel supports the advancement of processes, tools and organizations to develop products that meet the security requirements of our customers and end users. Intel is an active member of FIRST (Forum of Incident Response and Security Teams) and works closely with Computer Emergency Response Teams and other worldwide groups.