Story image

Intel amplifies Bug Bounty rewards to attract more security researchers

19 Feb 18

Intel's Bug Bounty program has been updated with a new rewards scheme for side channel vulnerabilities that could net eagle-eyed researchers up to US$250,000.

Intel’s VP of platform security, Rich Echevarria, announced the updates in a blog last week. In his words, the program updates support its security-first pledge that resulted from the recent Spectre and Meltdown issues.

Intel’s Bug Bounty program has been operating since March 2017 to work with researchers in an effort to identify and mitigate potential security issues.

“If you believe you've found a security vulnerability in an Intel product or technology, we encourage you to notify us through our program and work with us to mitigate and to coordinate the disclosure of the vulnerability to minimize the risk that exploitable information becomes publicly known before mitigations are available,” Intel’s HackerOne page states.

Echevarria explains that the company made updates to the program to “More broadly engage the security research community, and provide better incentives for coordinated response and disclosure that help protect our customers and their data.”

The most notable program update is Intel’s move to make the Bug Bounty Program available to all security researchers, rather than its former invitation-only program. Intel explains that this will expand the pool of eligible researchers.

The updated program also includes a new side channel program with rewards of up to $250,000 for the most severe vulnerabilities. The vulnerabilities must be Root-caused to Intel hardware and/or exploitable via software.

The company has also raised its bounties in other areas across the board, with the most severe vulnerability awards offering up $100,000 for Intel hardware, up to $30,000 for Intel firmware and up to $10,000 for Intel software.

According to the company’s HackerOne page, it has paid out US$93,000 in bounties so far, with the average bounty payout of $5000. The highest bounty payouts have been between US$10,000-$30,000.

Echevarria says that coordinated disclosure from initiatives such as bug bounty programs is the best way to protect customers from security exploits.

He believes it minimizes the risk that exploitable information is made public before mitigation is available.

“Working closely with our industry partners and our customers, we encourage responsible and coordinated disclosure to improve the likelihood that users will have solutions available when security issues are first published,” he says.

“We will continue to evolve the program as needed to make it as effective as possible and to help us fulfill our security-first pledge. Thank you, in advance, to all of those across the industry who choose to participate,” he concludes.

JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.
Tensions on the rise after Huawei CFO arrest
“Recently our corporate CFO, Meng Wanzhou, was provisionally detained by the Canadian authorities on behalf of the United States of America."
Palo Alto Networks integrates RedLock and VM-Series with AWS Security Hub
AWS Security Hub is designed to provide users with a comprehensive view of their high-priority security alerts and compliance status.
Juniper simplifies data integration to improve threat detection
Updates to the Juniper Advanced Threat Prevention Appliances leverage third-party firewalls and security data sources.
Is mobile shopping compromising your enterprise security?
When employees do their holiday shopping on company resources, security teams have a challenge with the surge in browsing and online transactions.