McAfee has partnered with HackerOne to handle reports of potential security or vulnerability issues in our products and public websites. We are running a private program with them and you will need to be invited to join before submitting your report.
For your first report, send an email to firstname.lastname@example.org.
This will trigger an automated response from HackerOne’s system that gives instructions on how to proceed. Subsequent reports can be submitted directly through the HackerOne system.
Any information included in your initial email will be automatically added to the HackerOne system.
Once in the system please provide:
- Contact information (all interaction will be through the system)
- Summary of your finding
- Detailed steps to reproduce including any sample code and screenshots/videos
- Product vulnerabilities
- Product, version, and operating system
- Website vulnerabilities
- Any disclosure plans
Product or website vulnerability reports
Enterprise product or software performance, or subscription issues
Consumer product or software performance, or subscription issues
Submit a virus sample
Submit a URL for classification, or challenge a classification
Contact McAfee PSIRT
PSIRT Policy Statements
McAfee will not announce product or software vulnerabilities publically without an actionable workaround, patch, hotfix, or version update; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For vulnerabilities with a lot of media attention, such as HeartBleed, we will post a banner stating our awareness and actions.
To be fair, McAfee discloses product vulnerabilities to all customers at the same time. Large customers typically do not get advanced notice. Advanced notice may be granted by the CISO on a case-by-case basis and only with a strict NDA.
McAfee gives credit to vulnerability discoverers only if:
- They desire to be identified as a discoverer.
- They did not “zero day” us or make their research public before the SB or KB is published.
Organizations, individuals, or both may be identified as discoverers.
The most current Common Vulnerability Scoring System (CVSS) version is to be used. CVSS v3.1 is currently being used.
All security bulletins must include the CVSS scores for each vulnerability as well as the associated CVSS vectors. The base score is required. Both temporal and environmental scores are optional. Ideally base scores should match the scores assigned by NIST to CVEs.
Support Notification Service (SNS) Message
A Support Notification Service (SNS) message, notice, or alert is required for all security bulletins. This is a service that McAfee Enterprise Support customers rely upon as well as other customers.
To subscribe to SNS text alerts, go to the SNS Request Center and subscribe
McAfee’s fix and alert response depends upon the highest CVSS base score.
|Priority (Security)||CVSS Score
||Typical Fix Response*
|P1 - Critical
|P2 - High
|P3 - Medium
|P4 - Low
|P5 - Info
||Will not fix. Informational.
*Note: The fix response is based upon the severity of the vulnerability, the product lifecycle, and the feasibility of a fix. The typical fix response described above is not a commitment to produce a hotfix, patch, or version update for all supported product versions.
External Communication Mechanisms
McAfee’s external communication mechanism depends upon the CVSS base score, the number of customer inquiries, and the amount of media attention.
- SB = Security Bulletin (4-10)
- KB = KnowledgeBase Article (2-4)
- SS = Sustaining Statement (0-4)
- NN = Not Needed (0)
| ||CVSS = 0|
|0 < CVSS < 4|
|4 ≤ CVSS < 7|
|7 ≤ CVSS ≤ 10
|External Disclosure (CVE)*
||KB if multiple inquiries, else NN
||Document in release notes
||SB (post-release), Document in release notes
(post-release), Document in release notes
*By default McAfee does not issue CVEs for issues scoring below 4.0.
For publicly known high-severity vulnerabilities affecting multiple products, a security bulletin may be published with a patch for one product, and then updated later with other patches and descriptions for the other products as they become available.
Security bulletins with multiple vulnerable products will list all products, enterprise and consumer, in the following categories:
- Vulnerable and updated
- Vulnerable and not yet updated
- Vulnerable but low risk (given standard deployment best practices)
- Not vulnerable
- Being investigated (optional)
Security bulletins are not usually published on Friday afternoons, unless it is a crisis scenario.
Vulnerability vs. Risk Scores
McAfee participates in the industry-standard CVSS vulnerability scoring system. CVSS scores should be considered as a starting point to determine what risk a particular vulnerability may pose to McAfee's customers. The CVSS score should not be confused with a risk rating of the seriousness of vulnerabilities that may occur in McAfee products or the associated runtime environments on which McAfee products execute.
The CVSS base score determines our initial response to a given incident.
Security Bulletins may contain product lists with the following designations: Vulnerable, Not Vulnerable, Vulnerable but Not Exploitable, and Vulnerable, but Low Risk. The list below describes what each of these categories means in terms of potential customer impact:
- Vulnerable: A product contains a verified vulnerability. The vulnerability poses some level of risk to customers. The associated CVSS score may be taken as an indication of the seriousness of impact from exploitation of the vulnerability in typical deployment scenarios.
- Not Vulnerable: A product does not contain the vulnerability or the presence of a vulnerable component cannot be exploited in any manner. Use of the product presents no additional risk for customers.
- Vulnerable, but Not Exploitable: A product contains the vulnerability, perhaps as an included library or executable in the image, however the product provides sufficient security controls such that the vulnerability is not exposed to threat agents making exploitation of the vulnerability very difficult to impossible. Use of the product presents no additional risk for customers.
- Vulnerable, but Low Risk: A product contains the vulnerability, perhaps as an included library or executable in the software image, however the impact from exploitation is negligible and provides no additional attacker value from exploitation. Use of the product likely presents little additional risk for customers using the product in recommended and typical deployment scenarios.