Product Security at Intel
Commitment to Product Security
The security of our products is one of our most important priorities. We build security into our products, and we encourage our customers and others in the technology industry to do the same. We strive to design, manufacture, and sell the world’s most secure technology products, and we are continuously innovating and enhancing security capabilities for our products.
The purpose of this document is to provide more detail on our product security policy, including how we respond to vulnerabilities and engage with others in the industry.
Security First Pledge
The security of our products is an ongoing priority, not a one-time event. It begins with our Security Development Lifecycle, where security is engineered into our products from the outset. Once products are released, we continue to actively support them and address vulnerabilities. Beyond that, we are committed to working with the industry to share hardware and software innovations that will accelerate industry-level progress in security. We also are committed to funding academic and independent research into the prevention and mitigation of potential security threats.
Product Security Response Process
We work hard to find and mitigate security vulnerabilities in our products before we release them, but that is not always possible. Our products are highly complex and we cannot always anticipate all of the ways in which our products will be used or how sophisticated third parties will seek to undermine their integrity. Thus, we continue to test and evaluate our products after we release them to identify vulnerabilities. And, at times, third parties identify and disclose a vulnerability to us before we find it. When we learn of a vulnerability, from any source, our focus is to understand and mitigate that vulnerability as rapidly as we can. Sometimes we mitigate the vulnerability ourselves; other times we do so in conjunction with our customers, partners, and others in the industry.
Intel’s product security response will be tailored to the circumstances, but will generally proceed in five phases: (1) Initial evaluation, including verifying the vulnerability and identifying its scope; (2) architectural assessment, including identification of mitigation options; (3) mitigation development and assurance; (4) mitigation deployment; and (5) public disclosure.
Coordinated Disclosure of Security Vulnerabilities
Intel – and nearly the entire technology industry – follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are deployed. (See CERT® Guide to Coordinated Vulnerability Disclosure.) Coordinated Disclosure protects technology users because public disclosure of a vulnerability before mitigations are deployed could allow cybercriminals to exploit the vulnerability.
Under Coordinated Disclosure, the general practice is initially to disclose information about a vulnerability only to those whose assistance is needed to mitigate the vulnerability. Disclosing the vulnerability to others could increase the risk that information will leak, allowing bad actors to exploit the vulnerability. Intel generally will not disclose information about a vulnerability to a broader group until after mitigations are deployed. However, depending on the circumstances, Intel may disclose information about a vulnerability where there is active exploitation of a vulnerability, or where there is an increased risk of public awareness or exploitation of a vulnerability and disclosure by Intel could reasonably be expected to mitigate risk to Intel customers and end users.1
Working with Our Customers and Other Third Parties
Given the nature of our products, we commonly work with our customers and other third parties, including hardware, software, and services vendors, as well as end users, to develop and deploy mitigations. Effective mitigation requires all these parties to work together in coordinated cooperation. While we work to understand and mitigate a vulnerability, we will manage information about that vulnerability on a highly confidential basis; we will distribute information only to those who need to know in order to assist us in mitigating the issue, and only to the extent necessary to enable them to do so. We ask any third parties who know of the vulnerability to maintain strict confidentiality until mitigations are deployed.
While no cybersecurity vulnerability is ever routine, Intel and other technology companies have identified, mitigated, and then disclosed thousands of vulnerabilities. Updates and patches are a regular part of modern technology products, and leading operating system vendors routinely release them as well. Among the best security practices for every technology user are installing updates as soon as they become available and being continually vigilant to detect and prevent intrusions and exploitations.
We encourage our industry partners to continue to support and apply these practices and principles to stay ahead of the evolving threat landscape.
Steps that Would Reduce Product Security
Intel product development policy and practices prohibit any intentional steps to allow undocumented device access (e.g., “backdoors”), exposure of sensitive device information, or a bypass of security features or restrictions of its products. While we always comply with the laws of the countries in which we do business, we would vigorously oppose any law that sought to compel us to include undocumented device access into our products.
For the latest security information on Intel products, click here.
If you would like to report a security vulnerability to Intel, and for more information on Intel’s “bug bounty” program, click here.
If you are a member of the press and have a question about product security, click here.
Product and Performance Information
Intel’s policy on disclosing security-related issues draws from industry best practices, including the Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure from FIRST.org (Forum of Incident Response and Security Teams) and the CERT® Guide to Coordinated Vulnerability Disclosure. These guides use the term “coordinated disclosure,” which is widely used in the security community and in this policy. At times, Intel and others have used the term “responsible disclosure” synonymously with “coordinated disclosure.”