Story image

Intel amplifies Bug Bounty rewards to attract more security researchers

19 Feb 2018

Intel's Bug Bounty program has been updated with a new rewards scheme for side channel vulnerabilities that could net eagle-eyed researchers up to US$250,000.

Intel’s VP of platform security, Rich Echevarria, announced the updates in a blog last week. In his words, the program updates support its security-first pledge that resulted from the recent Spectre and Meltdown issues.

Intel’s Bug Bounty program has been operating since March 2017 to work with researchers in an effort to identify and mitigate potential security issues.

“If you believe you've found a security vulnerability in an Intel product or technology, we encourage you to notify us through our program and work with us to mitigate and to coordinate the disclosure of the vulnerability to minimize the risk that exploitable information becomes publicly known before mitigations are available,” Intel’s HackerOne page states.

Echevarria explains that the company made updates to the program to “More broadly engage the security research community, and provide better incentives for coordinated response and disclosure that help protect our customers and their data.”

The most notable program update is Intel’s move to make the Bug Bounty Program available to all security researchers, rather than its former invitation-only program. Intel explains that this will expand the pool of eligible researchers.

The updated program also includes a new side channel program with rewards of up to $250,000 for the most severe vulnerabilities. The vulnerabilities must be Root-caused to Intel hardware and/or exploitable via software.

The company has also raised its bounties in other areas across the board, with the most severe vulnerability awards offering up $100,000 for Intel hardware, up to $30,000 for Intel firmware and up to $10,000 for Intel software.

According to the company’s HackerOne page, it has paid out US$93,000 in bounties so far, with the average bounty payout of $5000. The highest bounty payouts have been between US$10,000-$30,000.

Echevarria says that coordinated disclosure from initiatives such as bug bounty programs is the best way to protect customers from security exploits.

He believes it minimizes the risk that exploitable information is made public before mitigation is available.

“Working closely with our industry partners and our customers, we encourage responsible and coordinated disclosure to improve the likelihood that users will have solutions available when security issues are first published,” he says.

“We will continue to evolve the program as needed to make it as effective as possible and to help us fulfill our security-first pledge. Thank you, in advance, to all of those across the industry who choose to participate,” he concludes.

Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.
Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.
Developing APAC countries most vulnerable to malware - Microsoft
“As cyberattacks continue to increase in frequency and sophistication, understanding prevalent cyberthreats and how to limit their impact has become an imperative.”
Worldwide spending on security to reach $103.1bil in 2019 - IDC
Managed security services will be the largest technology category in 2019.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Norwegian aluminium manufacturer hit hard by LockerGoga ransomware attack
“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.