Vulnerability Handling Guidelines
The Intel Open Source Security Incident Response Team (OSSIRT) proactively searches for and responds to reported security vulnerabilities in Intel-managed open source projects. The OSSIRT works with members of the security community, customers, and end users to best ensure that security vulnerabilities affecting Intel open source projects are documented and solutions are released in a responsible manner. Intel is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity, and mitigation.
Reporting a Potential Security Vulnerability
If you have discovered a potential security vulnerability in an Intel product, please contact the iPSIRT at firstname.lastname@example.org. It is important to include the following details:
- The projects and versions affected
- Repository and home page links for the affected projects
- Detailed description of the vulnerability
- Information on known exploits
Vulnerability information is extremely sensitive. The OSSIRT strongly recommends that all security vulnerability reports sent to Intel be encrypted using the OSSIRT PGP key. The PGP key is available here.
Software to encrypt messages may be obtained from:
- PGP Corporation
Vulnerability Handling Process
Security vulnerabilities in Intel open source projects are actively managed through a well-defined process. The time to respond varies based on the scope of the issue. The process consists of 4 key steps:
Reporting: The process begins when the OSSIRT becomes aware of a potential security vulnerability in an Intel-managed open source project. The reporter receives an acknowledgement and updates throughout the handling process.
Evaluation: The OSSIRT confirms the potential vulnerability, assesses the risk, determines the impact, and assigns a processing priority. If the vulnerability is confirmed, the priority determines how the issue is handled throughout the remaining steps in the process.
Solution: Working with the product team, the OSSIRT develops a solution that mitigates the reported security vulnerability. Solutions will take different forms based on the vulnerability. In cases where a vulnerability is being actively exploited, Intel may deliver a temporary solution to contain the issue while working on the full solution.
Communication: The OSSIRT publishes a security advisory for severe issues. Less severe issues are communicated through other methods. Advisories are published at the OSSIRT Advisory page and released simultaneously to all customers. For previously unknown or unreported issues, Intel will acknowledge the reporter in the advisory if requested.
Intel supports the advancement of processes, tools, and organizations to develop products that meet the security requirements of our customers and end users. Intel is an active member of FIRST (Forum of Incident Response and Security Teams) and works closely with Computer Emergency Response Teams and other worldwide groups.