Intel boosts its Bug Bounty Program rewards to $250,000

Intel isn't the only company affected by the recent spate of processor-related security vulnerabilities, but the ubiquity of the silicon giant's chips and some of its design decisions over the years have made its products the juiciest targets. The company started its Bug Bounty Program last March in an effort to get security researchers to approach Intel before they release their findings to the public. The chipmaker is now expanding that program by opening it up to any participant and increasing the maximum bounty to the princely sum of $250,000.

Intel says the bounty program allows it to work with researchers to develop responses to security flaws before the knowledge of any vulnerabilities spread to the public. The company says the changes to the program are part of the "Security-First Pledge" it made to its customers last month. Intel is seeking bug reports related to its hardware, firmware, and software products, including CPUs, chipsets, FPGAs, SSDs, device drivers, and applications.

Aside from the larger prizes, the biggest change to the program is its move from an invitation-only affair to an open forum for security researchers that meet its eligibility requirements. The maximum quarter-million-dollar bounty is part of a program to identify side-channel vulnerabilities and is available only until the end of this year. Awards in other hardware-related areas top out at $100,000, and researchers can bag maximum bounties of $30,000 when it comes to firmware and $10,000 for identification of critical software bugs. Intel offers additional details on its security page.

Comments closed
    • davidbowser
    • 2 years ago

    (disclaimer – I work for Google. My opinions are my own.)

    $10k-$250k is solid but is significantly less than some TOTALLY LEGAL businesses will pay so they can then sell them to their customers (government agencies and large corps). Read the Motherboard article linked below for background.

    Here are some other programs for reference:

    Microsoft
    [url<]https://technet.microsoft.com/en-us/library/dn425036.aspx[/url<] Google [url<]https://www.google.com/about/appsecurity/reward-program/[/url<] [url<]https://www.google.com/about/appsecurity/android-rewards/[/url<] [url<]https://www.google.com/about/appsecurity/chrome-rewards/[/url<] Apple - Big money, it's complicated, and evidently not popular with the researchers it was targeted at [url<]https://motherboard.vice.com/en_us/article/gybppx/iphone-bugs-are-too-valuable-to-report-to-apple[/url<] Amazon Web Services - Not really [url<]https://aws.amazon.com/security/vulnerability-reporting/[/url<]

    • watzupken
    • 2 years ago

    I feel the problem is not just about finding the bugs. In this recent problem of Meltdown and Spectre, they were clearly informed way in advance but failed to do anything to fix it from both software and hardware perspective. To add on to the insult, the fixes that they rolled out are causing systems to reboot. The tip off only gave the CEO enough time to sell his shares before it becomes public knowledge.

      • Chrispy_
      • 2 years ago

      I think you’re forgetting that silicon has a long time from design to manufacture.

      I forget the exact timescales, but it’s likely that Ice Lake is being delayed because of the Spectre and Meltdown changes they put into effect last year. Unless Intel were informed of the severity of Spectre and Meltdown mid-2016, Coffee Lake was already out of the door for the design team at that point.

      With CPU manufacture, the various spins and designs mean that it’s 12-18 months between a product being designed and the actual hardware being available to buy. They can make minor tweaks and corrections up to about 9 months before final silicon but that’s more bug-fixing than redesigns of the architecture to add in new features like Spectre/Meltdown protection.

        • watzupken
        • 2 years ago

        While the hardware portion may be true, it also means that they are willing to live with a severe security issue on the hardware level. If they are customer centric, they could have done 2 things, which they chose not to do,
        1) Start working on a software fix, and not scramble 5 months later after the issue got announced. Clearly they were caught with their pants down in this case.
        2) If they need to sell their Coffee Lake, at least notify their customers of the potential issue. News out there says they only notified select customers.
        So again, what is the point of a bug bounty if they choose not to do either or both of the above?

          • Redocbew
          • 2 years ago

          Six months isn’t really that much time on the software side either. It’s easy to think otherwise given the initial botched patches, but I can almost guarantee you the patches had been under development for some time before the news went public.

    • Mr Bill
    • 2 years ago

    Intel… Tell us, not a hacker.

      • chuckula
      • 2 years ago

      Guys who play both sides: We’ll tell the hackers first and then tell you once we got their money!

        • derFunkenstein
        • 2 years ago

        and when the Russian mob whacks you, don’t come crying to me.

          • Wilko
          • 2 years ago

          If he’s able to come crying to you after the Russian mob whacks him, then they’re not very good at whacking people!

    • anotherengineer
    • 2 years ago

    Nice, if you didn’t get taxed on that, you’d just need to get 1 good bug once every 5 years and you could just chill at home and that’ be your job lol

    • Redocbew
    • 2 years ago

    Bug Bounty manager: Hey, are we spending a lot on managing the fallout of Spectre and Meltdown?

    Uh, yeah.

    Gimme more budget, and maybe that won’t happen again.

    Ok.

    • wownwow
    • 2 years ago

    “Intel isn’t the only company affected by the recent spate of processor-related security vulnerabilities, but ”

    It’s the only company doesn’t follow the privilege levels/rings itself defined, INTENTIONALLY!

    It’s the only company needs kernel relocation, the industry’s 1st and only!

    It’s the only Meltdown inside!

      • chuckula
      • 2 years ago

      [quote<]It's the only company doesn't follow the privilege levels/rings itself defined, INTENTIONALLY![/quote<] You mean meltdown? Funny how ARM managed to blunder into the same bug, but only on its "high performance" parts like the A75 core that lies at the heart of Qualcomm's newest 845 parts.

        • Shobai
        • 2 years ago

        ARM absolutely needs to sort that out, but don’t lose perspective: ARM is guilty of the flaw in one unreleased design – there are precisely zero affected systems currently and in the short term. Exactly how many affected Intel machines are in the wild?

    • wingless
    • 2 years ago

    TIM instead of solder is a bug….gimme my $250Gs!

      • just brew it!
      • 2 years ago

      It’s not a *security* bug though. Anybody who cares about security/stability isn’t running their chip out of spec (OCed or with inadequate cooling), which is where the substandard TIM matters.

Pin It on Pinterest

Share This