Intel amplifies Bug Bounty rewards to attract more security researchers
Intel's Bug Bounty program has been updated with a new rewards scheme for side channel vulnerabilities that could net eagle-eyed researchers up to US$250,000.
Intel’s VP of platform security, Rich Echevarria, announced the updates in a blog last week. In his words, the program updates support its security-first pledge that resulted from the recent Spectre and Meltdown issues.
Intel’s Bug Bounty program has been operating since March 2017 to work with researchers in an effort to identify and mitigate potential security issues.
“If you believe you've found a security vulnerability in an Intel product or technology, we encourage you to notify us through our program and work with us to mitigate and to coordinate the disclosure of the vulnerability to minimize the risk that exploitable information becomes publicly known before mitigations are available,” Intel’s HackerOne page states.
Echevarria explains that the company made updates to the program to “More broadly engage the security research community, and provide better incentives for coordinated response and disclosure that help protect our customers and their data.”
The most notable program update is Intel’s move to make the Bug Bounty Program available to all security researchers, rather than its former invitation-only program. Intel explains that this will expand the pool of eligible researchers.
The updated program also includes a new side channel program with rewards of up to $250,000 for the most severe vulnerabilities. The vulnerabilities must be Root-caused to Intel hardware and/or exploitable via software.
The company has also raised its bounties in other areas across the board, with the most severe vulnerability awards offering up $100,000 for Intel hardware, up to $30,000 for Intel firmware and up to $10,000 for Intel software.
According to the company’s HackerOne page, it has paid out US$93,000 in bounties so far, with the average bounty payout of $5000. The highest bounty payouts have been between US$10,000-$30,000.
Echevarria says that coordinated disclosure from initiatives such as bug bounty programs is the best way to protect customers from security exploits.
He believes it minimizes the risk that exploitable information is made public before mitigation is available.
“Working closely with our industry partners and our customers, we encourage responsible and coordinated disclosure to improve the likelihood that users will have solutions available when security issues are first published,” he says.
“We will continue to evolve the program as needed to make it as effective as possible and to help us fulfill our security-first pledge. Thank you, in advance, to all of those across the industry who choose to participate,” he concludes.