Advanced Threat Research

Increasingly, people around the world depend on technology for their daily activities. Making this technology trustworthy involves a deep understanding of how attacks work. By researching security vulnerabilities, the Advanced Threat Research (ATR) team in Intel Security discovers opportunities to drive toward more secure technology.

 
Home | Research | Threat Intelligence | CHIPSEC
 

Coordination and Disclosure Process

Last updated: 2016-04-12

In order to drive more secure technology, we need to deeply understand how attacks work. The Advanced Threat Research team does exactly this. When we discover vulnerabilities, we seek to spread the understanding and drive mitigations through coordination with other stakeholders and a coordinated disclosure process. We have worked closely with various industry groups that receive such reports and understand that this can be complicated. Consistent with what Intel asks regarding vulnerability handling, this document outlines what you can expect from ATR's coordination and disclosure.

Questions regarding ATR's work can be directed to ATR or at secure@intel.com

Coordinated Disclosure Process

Our initial communications will usually be private and directed toward those who can develop and deploy effective mitigations. This communication includes some key items:

We will attempt to work with reasonable requests to adjust the disclosure timeline. In cases of active exploitation or other threats, however, more rapid disclosure may be needed.

Follow Up

After reaching out to those who are in the best position to mitigate the issue, we will continue to follow up on any discussion. We may check in to see how things are going or review materials to be published according to the disclosure plan.

Public Disclosure

When coordination is complete and the time for public disclosure has arrived, ATR will strive to provide clear technical details with the intent to educate. This will include information about the issues as well as detection and mitigation options that we believe to be available. In doing so, we hope to avoid exaggeration while improving the understanding required to drive more secure technology.

Other Disclosure Policies (for reference)