sb-nz logo
Story image

Intel amplifies Bug Bounty rewards to attract more security researchers

19 Feb 2018

Intel's Bug Bounty program has been updated with a new rewards scheme for side channel vulnerabilities that could net eagle-eyed researchers up to US$250,000.

Intel’s VP of platform security, Rich Echevarria, announced the updates in a blog last week. In his words, the program updates support its security-first pledge that resulted from the recent Spectre and Meltdown issues.

Intel’s Bug Bounty program has been operating since March 2017 to work with researchers in an effort to identify and mitigate potential security issues.

“If you believe you've found a security vulnerability in an Intel product or technology, we encourage you to notify us through our program and work with us to mitigate and to coordinate the disclosure of the vulnerability to minimize the risk that exploitable information becomes publicly known before mitigations are available,” Intel’s HackerOne page states.

Echevarria explains that the company made updates to the program to “More broadly engage the security research community, and provide better incentives for coordinated response and disclosure that help protect our customers and their data.”

The most notable program update is Intel’s move to make the Bug Bounty Program available to all security researchers, rather than its former invitation-only program. Intel explains that this will expand the pool of eligible researchers.

The updated program also includes a new side channel program with rewards of up to $250,000 for the most severe vulnerabilities. The vulnerabilities must be Root-caused to Intel hardware and/or exploitable via software.

The company has also raised its bounties in other areas across the board, with the most severe vulnerability awards offering up $100,000 for Intel hardware, up to $30,000 for Intel firmware and up to $10,000 for Intel software.

According to the company’s HackerOne page, it has paid out US$93,000 in bounties so far, with the average bounty payout of $5000. The highest bounty payouts have been between US$10,000-$30,000.

Echevarria says that coordinated disclosure from initiatives such as bug bounty programs is the best way to protect customers from security exploits.

He believes it minimizes the risk that exploitable information is made public before mitigation is available.

“Working closely with our industry partners and our customers, we encourage responsible and coordinated disclosure to improve the likelihood that users will have solutions available when security issues are first published,” he says.

“We will continue to evolve the program as needed to make it as effective as possible and to help us fulfill our security-first pledge. Thank you, in advance, to all of those across the industry who choose to participate,” he concludes.

Story image
Entrust launches cloud-based ID issuance solution
The Sigma instant ID solution uses encryption, trusted HSM technology and secure boot to issue highly secure physical and mobile identities.More
Story image
How to secure your business against DDoS Attacks
With the upward trend of DDoS attacks this year, and an increased dependency on online channels across all industries, businesses need to be prepared, so they don’t suffer any disruption. More
Story image
Video: 10 Minute IT Jams - SonicWall VP discusses the importance of endpoint security
In this video, Dmitriy discusses the exposure points and new risks that come as a result of widespread flexible working arrangements, how organisations should secure their massively distributed networks, and how SonicWall's Boundless Cybersecurity model can solve these issues.More
Story image
IBM Security completes industry first with updates to Cloud Pak for Security solution
"With these updates, we will be the first in the industry to bring together external threat intelligence and threat management alongside data security and identity."More
Story image
Cisco report: Remote working is here to stay, making cybersecurity a top priority
"With this new way of working here to stay and organisations looking to increase their investment in cybersecurity, there’s a unique opportunity to transform the way we approach security as an industry to better meet the needs of our customers and end-users.”More
Story image
Nokia: Cyber attacks on internet-connected devices on the rise
Cyberattacks on internet-connected devices continue to rise at an alarming rate due to poor security protections.More