Product Security Bulletins 

    McAfee is highly focused on ensuring the security of our customers' computers, networks, devices, and data. We are committed to rapidly addressing issues as they arise, providing recommendations through security bulletins and knowledgebase articles.

    View Product Security BulletinsMcAfee Product Security Practices

     

    Report a Security Vulnerability

    To report a finding, please send a detailed email to psirt@mcafee.com. The email must include the following:

    • Summary of your finding
    • Detailed steps to reproduce the issue including any sample code and screenshots/videos
    • For Product vulnerabilities, please share:
      • Product
      • Version
      • Operating system
    • For Website vulnerabilities, please share:
      • Browser
      • Version
    • Any disclosure plans

    A member from the PSIRT team will reach out to you and assist with working with the internal teams to validate the finding and providing a fix should the finding be valid.

    Product or website vulnerability reports
    McAfee PSIRT
    Email: psirt@mcafee.com
    PGP Key: Download Zip

    McAfee product or software performance, or subscription issues
    Contact support >

    Submit a virus sample
    Learn more >

    Submit a URL for classification, or challenge a classification
    Learn more >

    About PSIRT

    Contact McAfee PSIRT
    Email: psirt@mcafee.com

    PSIRT Policy Statements

    Actionable
    McAfee will not announce product or software vulnerabilities publicly without an actionable workaround, patch, hotfix, or version update; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For vulnerabilities with a lot of media attention, such as HeartBleed, we will post a banner stating our awareness and actions.

    No Favorites
    To be fair, McAfee discloses product vulnerabilities to all customers at the same time. Large customers typically do not get advanced notice. Advanced notice may be granted by the CISO on a case-by-case basis and only with a strict NDA.

    Discoverers
    McAfee gives credit to vulnerability discoverers only if:

    • They desire to be identified as a discoverer.
    • They did not “zero day” us or make their research public before the SB or KB is published.

    Organizations, individuals, or both may be identified as discoverers.

    CVSS Scoring
    The most current Common Vulnerability Scoring System (CVSS) version is to be used. CVSS v3.1 is currently being used.

    All security bulletins must include the CVSS scores for each vulnerability as well as the associated CVSS vectors. The base score is required. Both temporal and environmental scores are optional. Ideally base scores should match the scores assigned by NIST to CVEs.

    Response Policy
    McAfee’s fix and alert response depends upon the highest CVSS base score.

    Priority (Security) CVSS Score Typical Fix Response*
    P1 - Critical 9.0-10.0 Critical Hotfix
    P2 - High 7.0-8.9 High Update
    P3 - Medium 4.0-6.9 Medium Update
    P4 - Low 0.0-3.9 Low Version Update
    P5 - Info 0.0 Will not fix. Informational.

    *Note: The fix response is based upon the severity of the vulnerability, the product lifecycle, and the feasibility of a fix. The typical fix response described above is not a commitment to produce a hotfix, patch, or version update for all supported product versions.

    External Communication Mechanisms
    McAfee’s external communication mechanism depends upon the CVSS base score, the number of customer inquiries, and the amount of media attention.

    • SB = Security Bulletin (4-10)
    • KB = KnowledgeBase Article (2-4)
    • SS = Sustaining Statement (0-4)
    • NN = Not Needed (0)
      CVSS = 0
    Low    		 0 < CVSS < 4
    Low    		 4 ≤ CVSS < 7
    Medium    		 7 ≤ CVSS ≤ 10
    High
    External Disclosure (CVE)* KB if multiple inquiries, else NN KB SB SB
    Customer Disclosure SS SS SB SB
    Internal Disclosure NN Document in release notes SB (post-release), Document in release notes SB (post-release), Document in release notes

    *By default, McAfee does not issue CVEs for issues scoring below 4.0.

    Crisis Scenarios
    For publicly known high-severity vulnerabilities affecting multiple products, a security bulletin may be published with a patch for one product, and then updated later with other patches and descriptions for the other products as they become available.

    Security bulletins with multiple vulnerable products will list all products, in the following categories:

    • Vulnerable and updated
    • Vulnerable and not yet updated
    • Vulnerable but low risk (given standard deployment best practices)
    • Not vulnerable
    • Being investigated (optional)

    Security bulletins are not usually published on Friday afternoons, unless it is a crisis scenario.

    Vulnerability vs. Risk Scores
    McAfee participates in the industry-standard CVSS vulnerability scoring system. CVSS scores should be considered as a starting point to determine what risk a particular vulnerability may pose to McAfee's customers. The CVSS score should not be confused with a risk rating of the seriousness of vulnerabilities that may occur in McAfee products or the associated runtime environments on which McAfee products execute.

    The CVSS base score determines our initial response to a given incident.

    Security Bulletins may contain product lists with the following designations: Vulnerable, Not Vulnerable, and Vulnerable, but Low Risk. The list below describes what each of these categories means in terms of potential customer impact:

    • Vulnerable: A product contains a verified vulnerability. The vulnerability poses some level of risk to customers. The associated CVSS score may be taken as an indication of the seriousness of impact from exploitation of the vulnerability in typical deployment scenarios.
    • Not Vulnerable: A product does not contain the vulnerability or the presence of a vulnerable component cannot be exploited in any manner. Use of the product presents no additional risk for customers.
    • Vulnerable, but Low Risk: A product contains the vulnerability, perhaps as an included library or executable in the software image, however the impact from exploitation is negligible and provides no additional attacker value from exploitation. Use of the product likely presents little additional risk for customers using the product in recommended and typical deployment scenarios.

     

    * Important Terms and Offer Details:

    .

     Subscription, Free Trial, Pricing and Automatic Renewal Terms:

     Subscription, Free Trial, Pricing and Automatic Renewal Terms: 

    • The amount you are charged upon purchase is the price of the first term of your subscription. The length of your first term depends on your purchase selection. 30 days before your first term is expired, your subscription will be automatically renewed on an annual basis and you will be charged the renewal subscription price in effect at the time of your renewal, until you cancel (Vermont residents must opt-in to auto-renewal.)
    • Unless otherwise stated, if a savings amount is shown, it describes the difference between the introductory first term price (available only to customers without an existing McAfee subscription) and the renewal subscription price (e.g., first term price vs. each year thereafter).
    • Pricing is subject to change. If the renewal price changes, we will notify you in advance so you always know what’s going on.
    • You can cancel your subscription or change your auto-renewal settings any time after purchase from your My Account page. To learn more, click here.
    • You will be provided a full refund upon request, by contacting Customer Support within 30 days of your initial purchase or 60 days of auto-renewal.
    • Your subscription is subject to our License Agreement and Privacy Notice. Subscriptions covering "all" devices are limited to supported devices that you own. Product features may be added, changed or removed during the subscription term.  Not all features may be available on all devices.  See System Requirements for additional information.
    • Free Trial Terms: At the end of your trial period you will be charged $39.99 for the first term. After the first term, you will be automatically renewed at the renewal price (currently $109.99/yr). We will charge you 7-days before renewal. You can cancel at any time before you are charged. ​
    • Unlimited plans cover only household devices that you own for personal, non-commercial use, and is subject to our fair use policy.  If you have an issue adding a device, please contact Customer Support.

     **Free Benefits With Auto-Renewal:

     **Free Benefits With Auto-Renewal:

    • For many qualifying product subscriptions McAfee offers additional benefits for free when you are enrolled in auto-renewal. You can check your eligibility for these benefits in your My Account page. Not all benefits are offered in all locations or for all product subscriptions.  System Requirements apply.   Turning off auto-renewal terminates your eligibility for these additional benefits. 
    • Virus Protection Pledge (VPP): If we cannot remove a virus from your supported device we’ll refund you the amount you paid for your current term subscription.  The refund does not apply to any damage or loss caused by a virus.  You are responsible for backing up your data to prevent data loss. See terms here: mcafee.com/pledge.
    • Safe Connect VPN:  You will receive free, unlimited access to our VPN wireless on supported devices. Users not on auto-renewal have access to 500 MB/month of bandwidth.

      Additional Terms Specific to Identity Monitoring Service:

      Additional Terms Specific to Identity Monitoring Service:

    • Eligibility: McAfee® Identity Monitoring Service Essentials is available within active McAfee+ Premium, McAfee+ Advanced, McAfee+ Ultimate, McAfee Total Protection and McAfee LiveSafe subscriptions. Not all identity monitoring elements are available in all countries. See License Agreement for more information. 
    • Your subscription is subject to our License Agreement and Privacy Notice. Product features may be added, changed or removed during the subscription term. Some features may require registration and a valid ID number to activate. See System Requirements for additional information.
    • While McAfee Identity Monitoring Service provides you tools and resources to protect yourself from identity theft, no identity can be completely secure.
    • US Only:
      Fair Credit Reporting Act: You have numerous rights under the FCRA, including the right to dispute inaccurate information in your credit report(s). Consumer reporting agencies are required to investigate and respond to your dispute, but are not obligated to change or remove accurate information that is reported in compliance with applicable law. While this plan can provide you assistance in filing a dispute, the FCRA allows you to file a dispute for free with a consumer reporting agency without the assistance of a third party.
    • Identity theft coverage is not available in New York due to regulatory requirements.

      TechMate :

      TechMate :

    • Your TechMate license(s) is available with the purchase of a qualified TechMaster Concierge subscription and is accessible for the duration of your paid subscription.
    • TechMate is only available for Windows Vista, 7, 8.1, and 10.

      TechMaster Single Incident Services :

      TechMaster Single Incident Services :

    • Purchase of a single incident service, such as Device Set Up or Advanced Troubleshooting, is good for one issue. In the event the issue recurs within 7 days, there will be no additional charge for service on the same device for the same issue.
    • See our System Requirements for information on qualified devices.


    Corporate Headquarters
    6220 America Center Drive
    San Jose, CA 95002 USA

    Products

    McAfee+
    McAfee® Total Protection
    McAfee Antivirus
    McAfee Safe Connect
    McAfee PC Optimizer
    McAfee TechMaster
    McAfee Mobile Security

    Resources

    Antivirus
    Free Downloads
    Parental Controls
    Malware
    Firewall
     Blogs
    Activate Retail Card
    McAfee Labs
    McAfee Enterprise

    Support

    Customer Service
    FAQs
    Renewals
    Support Community

    About

    About McAfee
    Careers
    Contact Us
    Newsroom
    Investors
    Legal Terms
    Your Privacy Choices
    System Requirements
    Sitemap

      United States / English Copyright © 2023 McAfee, LLC