With Intel's updated bug bounty program, you could earn big bucks for finding the next Meltdown
Intel has updated its bug bounty program, offering up to $250,000 to anyone identifying vulnerabilities in its hardware and software. The key update here is that the program is now open to everyone through the HackerOne platform -- it was previously open to selected security researchers on an invite-only basis.
The move comes in the wake of the Meltdown and Spectre chip vulnerability revelations, and it's clearly an attempt by Intel to not only ramp up its security, but to be seen doing so. The company says it wants to create "a process whereby the security research community can inform us, directly and in a timely fashion, about potential exploits that its members discover."
- Microsoft gives sysadmins Meltdown and Spectre detection in Windows Analytics
- Tests show how much Meltdown fixes will hit Linux system performance
- Intel releases updated Spectre and Meltdown patches for Skylake systems
- Intel releases benchmark results detailing Meltdown patch performance slowdown
Over on the HackOne website Intel has a new presence where it talks about organizing a coordinated response to any vulnerability that's discovered. For the sake of security, the company asks that any vulnerability reports are encrypted using GnuPG or PGP. It says: "Coordinated disclosure is widely regarded as the best way to responsibly protect customers from security exploits. It minimizes the risk that exploitable information becomes publicly known before mitigations are available. Working closely with our industry partners and our customers, we encourage responsible and coordinated disclosure to improve the likelihood that users will have solutions available when security issues are first published."
Intel highlights three key changes to the program:
- Shifting from an invitation-only program to a program that is open to all security researchers, significantly expanding the pool of eligible researchers.
- Offering a new program focused specifically on side channel vulnerabilities through Dec. 31, 2018. The award for disclosures under this program is up to $250,000.
- Raising bounty awards across the board, with awards of up to $100,000 for other areas.
The program covers a wide range of Intel hardware, firmware and software, and the following guidelines apply:
- Intel will award a Bounty for the first report of a vulnerability with sufficient details to enable reproduction by Intel.
- Intel will award a Bounty from $500 to $250,000 USD depending on the nature of the vulnerability and quality & content of the report.
- The first external report received on an internally known vulnerability will receive a maximum of $1,500 USD Award.
- The approved CVSS calculators which may be used for determining the baseline Severity of all reported vulnerabilities shall be either the NVD CVSSv3 calculator (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator) or the FIRST CVSSv3 calculator (https://www.first.org/cvss/calculator/3.0) at Intel’s sole discretion.
- Intel will publicly recognize security researchers on advisories and Bug Bounty collateral, at or after the time of public disclosure of the vulnerability, if & as agreed to by the researcher who reported the vulnerability.
- Awards are limited to one (1) Bounty Award per eligible root-cause vulnerability. If that vulnerable component is present in other Intel products, a Bounty Award will be paid only for the first reported product instance. Intel, at its sole discretion, will decide whether the reported vulnerability is the first reported product instance of that root-cause vulnerability.
The rewards on offer are as follows:
|Vulnerability Severity||Intel Software||Intel Firmware||Intel Hardware|
|Critical (9.0 - 10.0)||Up to $10,000||Up to $30,000||Up to $100,000|
|High (7.0 - 8.9)||Up to $5,000||Up to $15,000||Up to $30,000|
|Medium (4.0 - 6.9)||Up to $1,500||Up to $3,000||Up to $5,000|
|Low (0.1 - 3.9)||Up to $500||Up to $1000||Up to $2,000|
Until the end of 2018, Intel is also running a bug bounty program concerned with side channel vulnerabilities that are root-caused to Intel hardware and exploitable via software. The following pay scales apply:
|Vulnerability Severity||Intel Hardware w/ Side Channel Exploit through Software|
|Critical (9.0 - 10.0)||Up to $250,000|
|High (7.0 - 8.9)||Up to $100,000|
|Medium (4.0 - 6.9)||Up to $20,000|
|Low (0.1 - 3.9)||Up to $5,000|