- Feb 4, 2016
- 2,520
Intel has launched a public bug bounty program with individual rewards going as far as $250,000, the company said today in a press release.
Intel had previously run a bug bounty program, but that one was limited to submissions from a few selected security researchers only.
The new bug bounty program will be hosted on the HackerOne platform, and Intel has opened up its hardware, firmware, and software products for the occasion.
Almost all Intel products are up for hacking
Any security researcher with a HackerOne account can now hunt for a selected list of bugs in Intel products such as CPUs, chipset code, SSDs, motherboards, networking cards, and their respective firmware, drivers, and OS-level applications.
In-depth details of what's in or out of scope are available on Intel's regular bug bounty page and its new HackerOne profile.
Based on the bugs they find, researchers could be earning anything from $500 to $250,000.
Intel is running two bug bounty programs
There are actually two bug bounty programs. One is the normal bug bounty program with rewards from $500 to $100,000, and a second bug bounty program for side channel bugs.
The top dollars will go to researchers who discover side-channel bugs, and researchers could make from $5,000 to $250,000. This program will end on December 31, 2018.
According to Intel, side channel bugs are those vulnerabilities rooted in the component's hardware design and which are exploitable via local software. Meltdown and Spectre are side channel bugs.
Intel says it will pay researchers based on the vulnerability's CVSS v3.0 severity scale.
It's a PR stunt. The problem wasn't bug reporting.
Through its new bug bounty program, Intel is trying to wash away the image of a disastrous patching process. In reality, the new bug bounty program is nothing more than a PR move, and even if it had been in place last year, it wouldn't have helped.
Intel received notice of the Meltdown and Spectre bugs in June 2017, but it took four months to notify downstream OEMs about issues —doing so in November.
Despite this, when public disclosure came around, Intel did not have CPU microcode patches available for OEM vendors, and the Meltdown and Spectre flaws are still largely unpatched even today.