Intel Opens Bug Bounty Program to All Researchers, Offers up to $250,000 for Flaws Similar to Meltdown and Spectre
Intel on Wednesday announced major changes to its bug bounty program, including that it’s now open to all researchers, and significant rewards for exploits similar to Meltdown and Spectre.
Researchers who find critical hardware vulnerabilities that allow software-based side-channel attacks – just like Meltdown and Spectre – can earn up to $250,000. Flaws classified as high severity are worth up to $100,000, while medium- and low-risk issues are worth up to $20,000 and $5,000, respectively. The severity of a flaw is determined based on its CVSS base score, adjusted depending on the security objectives and threat model of the targeted product.
The part of Intel’s bug bounty program covering side-channel exploits will run until December 31, 2018.
Intel also announced that its bug bounty program is now open to all researchers – it was invitation-only until now. When the company launched this initiative back in March 2017, the maximum reward for hardware vulnerabilities was $30,000, but it has now been increased to $100,000 for critical flaws.
The maximum amount the company is prepared to pay for firmware vulnerabilities has increased from $10,000 to $30,000, and for software flaws from $7,500 to $10,000.
The list of hardware products covered by Intel’s bug bounty program includes processors, chipsets, field-programmable gate array (FPGA) integrated circuits, networking and communications equipment, motherboards, and solid-state drives.
“We believe these changes will enable us to more broadly engage the security research community, and provide better incentives for coordinated response and disclosure that help protect our customers and their data,” said Rick Echevarria, vice president and general manager of Platform Security at Intel.
Intel was made aware of the Spectre and Meltdown attack methods several months before researchers disclosed them, but many are unhappy with the way the company handled the situation.
While Spectre and Meltdown also affect processors from AMD, ARM and IBM, Intel was hit the hardest. The company started releasing microcode updates shortly after the existence of the vulnerabilities was brought to light, but the first round of patches introduced stability problems. Intel started releasing a second round of updates, which should address these issues, only last week.
The company says its future CPUs will include protections against attacks like Meltdown and Spectre.
Related: Intel Tests Performance Impact of CPU Patches on Data Centers
Related: Industry Reactions to Meltdown, Spectre Attacks