Story image

Intel amplifies Bug Bounty rewards to attract more security researchers

19 Feb 2018

Intel's Bug Bounty program has been updated with a new rewards scheme for side channel vulnerabilities that could net eagle-eyed researchers up to US$250,000.

Intel’s VP of platform security, Rich Echevarria, announced the updates in a blog last week. In his words, the program updates support its security-first pledge that resulted from the recent Spectre and Meltdown issues.

Intel’s Bug Bounty program has been operating since March 2017 to work with researchers in an effort to identify and mitigate potential security issues.

“If you believe you've found a security vulnerability in an Intel product or technology, we encourage you to notify us through our program and work with us to mitigate and to coordinate the disclosure of the vulnerability to minimize the risk that exploitable information becomes publicly known before mitigations are available,” Intel’s HackerOne page states.

Echevarria explains that the company made updates to the program to “More broadly engage the security research community, and provide better incentives for coordinated response and disclosure that help protect our customers and their data.”

The most notable program update is Intel’s move to make the Bug Bounty Program available to all security researchers, rather than its former invitation-only program. Intel explains that this will expand the pool of eligible researchers.

The updated program also includes a new side channel program with rewards of up to $250,000 for the most severe vulnerabilities. The vulnerabilities must be Root-caused to Intel hardware and/or exploitable via software.

The company has also raised its bounties in other areas across the board, with the most severe vulnerability awards offering up $100,000 for Intel hardware, up to $30,000 for Intel firmware and up to $10,000 for Intel software.

According to the company’s HackerOne page, it has paid out US$93,000 in bounties so far, with the average bounty payout of $5000. The highest bounty payouts have been between US$10,000-$30,000.

Echevarria says that coordinated disclosure from initiatives such as bug bounty programs is the best way to protect customers from security exploits.

He believes it minimizes the risk that exploitable information is made public before mitigation is available.

“Working closely with our industry partners and our customers, we encourage responsible and coordinated disclosure to improve the likelihood that users will have solutions available when security issues are first published,” he says.

“We will continue to evolve the program as needed to make it as effective as possible and to help us fulfill our security-first pledge. Thank you, in advance, to all of those across the industry who choose to participate,” he concludes.

Why SD-WAN is key for expanding businesses - SonicWall
One cost every organisation cannot compromise on is reliable and quick internet connection.
New threat rears its head in new malware report
Check Point’s researchers view Speakup as a significant threat, as it can be used to download and spread any malware.
Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.