Intel Extends Bug Bounty Program
Written by Alex Armstrong   
Friday, 16 February 2018

To support its Security-First Pledge made as a response to Meltdown and Spectre, Intel is opening up its Bug Bounty Program to all security researchers, raising bounty awards and offering a new program focused specifically on side channel vulnerabilities.

intelsq

The Intel® Bug Bounty Program was launched in March 2017 but up until now was an invitation-only scheme. According to its HackerOne page, since its inception $93,000 has been paid out with an average bounty of $5,000; 14 reports have been resolved and thanks extended to 15 security researchers.

When Brian Kzanich published his open letter on January 11, his assurance was:

By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January. We will then focus on issuing updates for older products as prioritized by our customers.

This is a commitment that has proved impossible to fulfill and in his announcement of the expansion of the Bug Bounty Program, Rick Echevarria notes that moving from an invitation-only program to one that is open to all security researchers will significantly expanding the pool of eligible researchers.

Under the revised program the main requirements for participation in the program are: 

  • You are reporting in an individual capacity or, if employed by another company, you have that company’s written approval to submit a report to Intel’s Bug Bounty program.

  • You are at least 18 years of age, and, if considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to reporting.

There are the usual exclusions about not being on the US list of sanctioned individuals or being resident of a US-embargoed country and that neither you or any family or household member can have been working for Intel or one of its subsidiaries within 6 months. In addition you have to agree to participate in testing mitigation effectiveness and coordinate disclosure/release/publication of your finding with Intel. 

To be eligible for Bounty Award consideration, a report must identify an original and previously unreported and not publicly disclosed vulnerability and must be encrypted with the Intel PSIRT public PGP key, available at https://security-center.intel.com/PGPPublicKey.aspx. A report must include clear documentation on the vulnerability and instructions on how to reproduce the vulnerability and needs to include your assessed CVSS v3 vector string, score, and rating using one of two approved CVSS v3 calculators.

 

To make this worthwhile this is the new schedule of award in which Intel Software, Firmware, and Hardware are all in scope. 

intelbugrewards

You'll notice that the highest rewards, up to $100,000 are for vulnerabilities in Intel Hardware which includes the following: 

  • Processor (inclusive of micro-code ROM + updates)
  • Chipset
  • FPGA
  • Networking / Communication
  • Motherboard / System (e.g., Intel Compute Stick, NUC)
  • Solid State Drives

The Intel Firmware encompassed by the program, attracting bounties of up to $30,000, includes:: 

  • UEFI BIOS (Tiano core components for which Intel is the only named maintainer)
  • Intel® Management Engine
  • Baseboard Management Controller (BMC)
  • Motherboard / System (e.g., Intel Compute Stick)
  • Solid State Drives 

while device drivers, applications and tool count as software with rewards up to $10,000,. 

Note, however, that  vulnerabilities already known to Intel, or in pre-release versions and versions no longer under active support are excluded.

The new limited duration program focused specifically on side channel vulnerabilities that are root-caused to Intel Hardware and exploitable via software runs until l December 31, 2018.

The award for disclosures under this program is up to $250,000: 

 intelbugrewardsideschannel

 

Again the harder a vulnerability is to mitigate, the more Intel will pay. 

 

intelsq

More Information

Intel Bug Bounty Program

Intel's Page on HackerOne

Related Articles

Microsoft and Facebook Launch Internet Bug Bounty Scheme

New Android Bug Bounty Scheme

Microsoft Bug Bounty Extends Scope

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

 

Banner


JConference January 2024 Sessions Now Online
23/02/2024

The talks presented at the 4th JChampions Conference which took place between Jan 25 to Jan 30, are now available for free on YouTube. Topics ranged from Code and Tech to Career Advice.



Pi Day - The Great Unanswered Questions
14/03/2024

It's Pi day again, again, again... Even after so many, I still have things to say about this most intriguing number. The most important things about Pi is that it is irrational and one of the few tran [ ... ]


More News

raspberry pi books

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Friday, 16 February 2018 )