Intel Extends Bug Bounty Program
Intel Extends Bug Bounty Program
Written by Alex Armstrong   
Friday, 16 February 2018

To support its Security-First Pledge made as a response to Meltdown and Spectre, Intel is opening up its Bug Bounty Program to all security researchers, raising bounty awards and offering a new program focused specifically on side channel vulnerabilities.


The Intel® Bug Bounty Program was launched in March 2017 but up until now was an invitation-only scheme. According to its HackerOne page, since its inception $93,000 has been paid out with an average bounty of $5,000; 14 reports have been resolved and thanks extended to 15 security researchers.

When Brian Kzanich published his open letter on January 11, his assurance was:

By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January. We will then focus on issuing updates for older products as prioritized by our customers.

This is a commitment that has proved impossible to fulfill and in his announcement of the expansion of the Bug Bounty Program, Rick Echevarria notes that moving from an invitation-only program to one that is open to all security researchers will significantly expanding the pool of eligible researchers.

Under the revised program the main requirements for participation in the program are: 

  • You are reporting in an individual capacity or, if employed by another company, you have that company’s written approval to submit a report to Intel’s Bug Bounty program.

  • You are at least 18 years of age, and, if considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to reporting.

There are the usual exclusions about not being on the US list of sanctioned individuals or being resident of a US-embargoed country and that neither you or any family or household member can have been working for Intel or one of its subsidiaries within 6 months. In addition you have to agree to participate in testing mitigation effectiveness and coordinate disclosure/release/publication of your finding with Intel. 

To be eligible for Bounty Award consideration, a report must identify an original and previously unreported and not publicly disclosed vulnerability and must be encrypted with the Intel PSIRT public PGP key, available at A report must include clear documentation on the vulnerability and instructions on how to reproduce the vulnerability and needs to include your assessed CVSS v3 vector string, score, and rating using one of two approved CVSS v3 calculators.


To make this worthwhile this is the new schedule of award in which Intel Software, Firmware, and Hardware are all in scope. 


You'll notice that the highest rewards, up to $100,000 are for vulnerabilities in Intel Hardware which includes the following: 

  • Processor (inclusive of micro-code ROM + updates)
  • Chipset
  • FPGA
  • Networking / Communication
  • Motherboard / System (e.g., Intel Compute Stick, NUC)
  • Solid State Drives

The Intel Firmware encompassed by the program, attracting bounties of up to $30,000, includes:: 

  • UEFI BIOS (Tiano core components for which Intel is the only named maintainer)
  • Intel® Management Engine
  • Baseboard Management Controller (BMC)
  • Motherboard / System (e.g., Intel Compute Stick)
  • Solid State Drives 

while device drivers, applications and tool count as software with rewards up to $10,000,. 

Note, however, that  vulnerabilities already known to Intel, or in pre-release versions and versions no longer under active support are excluded.

The new limited duration program focused specifically on side channel vulnerabilities that are root-caused to Intel Hardware and exploitable via software runs until l December 31, 2018.

The award for disclosures under this program is up to $250,000: 



Again the harder a vulnerability is to mitigate, the more Intel will pay. 



More Information

Intel Bug Bounty Program

Intel's Page on HackerOne

Related Articles

Microsoft and Facebook Launch Internet Bug Bounty Scheme

New Android Bug Bounty Scheme

Microsoft Bug Bounty Extends Scope


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on, Twitter, FacebookGoogle+ or Linkedin.



Elon Musk Leaves OpenAI Over Conflict of Interest

Elon Musk has resigned from the board of OpenAI, the non-profit organization he co-founded in 2015. He will continue to donate to and advise the organization which co-authored  a major report on  [ ... ]

Progressive Web Apps Do Seem To Be The Next Big Thing UPDATED

We know that we work in a field where fashion swings back and forth. The next big thing is what we all want to use, and it looks as if Progressive Web Apps are it.

More News



or email your comment to:

Last Updated ( Friday, 16 February 2018 )

RSS feed of news items only
I Programmer News
Copyright © 2018 All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.