IPAS: 2019 Product Security Report

IPAS: 2019 Product Security Report

Hi everyone,

With 2019 behind us, we are looking back at our investments in security and the vulnerabilities we addressed throughout the year, as well as the overall impact of Intel’s continued leadership in product security assurance and industry engagement.

For the full 2019 product security report, click HERE.

As we look at the data, two key points stand out:

  1. Of the 236 Common Vulnerabilities and Exposures (CVE) ID’s addressed in 2019, 144 (61%) were discovered internally by Intel through our ongoing security assurance efforts.
  2. An additional 70 CVEs (30%), were reported through our bug bounty program.

 

When you look at these two stats together, the result is that 91% of the CVEs addressed in 2019 were found and mitigated as the direct result of Intel’s investment in product security assurance and the proactive discovery and mitigation of product vulnerabilities.

61% of vulnerabilities with a “HIGH” CVSS score and 75% with a “CRITICAL” score were found by Intel.

It is also interesting to note that the vast majority of issues, 95%, were addressed in software and/or firmware and a total of 11 issues, or 5%, were addressed with microprocessor updates.

Reporting internally found vulnerabilities is not a standard practice across the technology industry, but we believe that this practice provides a critical level of transparency to our customers. At Intel, transparency is part of our Security First Pledge.

Intel would like to thank all of the external researchers who reported issues to us for coordinating disclosure. Following the guidelines of Coordinated Vulnerability Disclosure (CVD) has become the norm across the industry, and Intel continues to help lead and support the development of hardware specific guidelines together with partners and the research community.

To review our security advisories, please visit the Intel Security Center.

Regards,

Jerry Bryant
Director of Communications
Intel Product Assurance and Security

Published on Categories IDF
Jerry Bryant

About Jerry Bryant

Jerry Bryant is a Senior Director of Security Communications at Intel Corp. where he leads communications strategy, vulnerability issues management, field, and customer readiness within the Intel Product Assurance and Security Group (IPAS). Jerry has over 20 years experience in product security incident response within fortune 50 companies and specializes in vulnerability handling, incident/crisis management, threat intelligence sharing, industry, and government engagement. He believes strongly in sharing lessons learned and helping to advance the knowledge and readiness of defenders across the industry. Jerry is a co-author of the Product Security Incident Response Team (PSIRT) Services Framework, a cross industry collaboration through the Forum for Incident Response and Security Teams (FIRST.org).