The New Intel Bug Bounty Program Revealed!
The Intel Bug Bounty Program was launched in March 2017, but after Meltdown and Spectre, Intel kicked it up a notch. Find out how you can earn up to $250,000 hunting bugs!
The New Intel Bug Bounty Program
The Intel Bug Bounty Program was created to incentivise security researchers to hunt for bugs in Intel’s products. However, it was an invitation-only program, which greatly limited the pool of eligible bug hunters.
On 14 February 2018, Rick Echevarria, the Vice President and General Manager of Platform Security at Intel, announced the expansion of the Intel Bug Bounty Program. Here are the changes :
- The Intel Bug Bounty Program is no longer invitation-only. Anyone who meets the minimum requirements are eligible to participate.
- Intel created a new bounty targeted specifically at side channel vulnerability (like Meltdown and Spectre). This bounty ends on 31 December 2018, and pays up to $250,000.
- Intel also raised bounty awards across the board, with awards of up to $100,000 for other vulnerabilities.
The New Intel Bug Bounty Awards
|Vulnerability Severity||Intel Software||Intel Firmware||Intel Hardware|
|Critical (9.0 – 10.0)||Up to $10,000||Up to $30,000||Up to $100,000|
|High (7.0 – 8.9)||Up to $5,000||Up to $15,000||Up to $30,000|
|Medium (4.0 – 6.9)||Up to $1,500||Up to $3,000||Up to $5,000|
|Low (0.1 – 3.9)||Up to $500||Up to $1000||Up to $2,000|
- Intel will award a Bounty for the first report of a vulnerability with sufficient details to enable reproduction by Intel.
- Intel will award a Bounty from $500 to $250,000 USD depending on the nature of the vulnerability and quality & content of the report.
- The first external report received on an internally known vulnerability will receive a maximum of $1,500 USD Award.
- The approved CVSS calculators which may be used for determining the baseline Severity of all reported vulnerabilities shall be either the NVD CVSSv3 calculator or the FIRST CVSSv3 calculator at Intel’s sole discretion.
- Intel will publicly recognize security researchers on advisories and Bug Bounty collateral, at or after the time of public disclosure of the vulnerability, if & as agreed to by the researcher who reported the vulnerability.
- Awards are limited to one (1) Bounty Award per eligible root-cause vulnerability. If that vulnerable component is present in other Intel products, a Bounty Award will be paid only for the first reported product instance. Intel, at its sole discretion, will decide whether the reported vulnerability is the first reported product instance of that root-cause vulnerability.
The Side Channel Vulnerability Bounty Awards
This is a time-limited bounty that ends on 31 December 2018, and is limited to bugs that are :
- root-caused to Intel hardware
- exploitable via software
|Vulnerability Severity||Intel Hardware w/ Side Channel Exploit through Software|
|Critical (9.0 – 10.0)||Up to $250,000|
|High (7.0 – 8.9)||Up to $100,000|
|Medium (4.0 – 6.9)||Up to $20,000|
|Low (0.1 – 3.9)||Up to $5,000|
Next Page > The Program Requirements & Eligible Products