Minimizing Impact Through Vulnerability Mitigation and Disclosure
The Intel Product Security Incident Response Team (PSIRT) works to minimize customer impact through the mitigation and public disclosure of security vulnerabilities. Intel PSIRT supports and governs policies, processes, and guidelines for addressing security vulnerabilities that may affect Intel shipped and supported products.
Coordinated Vulnerability Disclosure
Intel is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity, and mitigation. Intel PSIRT policies, processes and guidelines are designed to support and encourage the principles and practices of Coordinated Vulnerability Disclosure (CVD).
PSIRT team members work with the security community, customers, and end users to help ensure that security vulnerabilities affecting Intel products in production are documented and solutions are released according to CVD principles. We follow and help lead this common industry practice for reported security vulnerabilities on Intel shipped and supported products, with the aim to reduce adversary advantage while a security vulnerability is being evaluated and, if appropriate and feasible, mitigated.
In addition to practicing inbound CVD, and partnering with external security researchers, we coordinate outbound vulnerability disclosure with industry partners and external stakeholders, when appropriate. The goal is that all affected parties are disclosing in unison for an optimal defensive position.
The multiparty coordinated vulnerability disclosure model puts Intel in a position of balancing between upstream security researchers and industry partners that use Intel technologies. This balance requires trust. Intel is committed to maintaining third-party embargos (i.e., vendor, supplier, security researcher, and third-party coordinator).
In cases where vulnerability information is under embargo and Intel suspects a partner company may be affected by the vulnerability, Intel submits a request to the coordinating or reporting party to report the issue under embargo to partners.