Going public: Intel expands bug bounty program
Bounties have been raised across the board.
Amid the ongoing Meltdown and Spectre debacle, Intel has implemented numerous changes to its bug bounty program – a move the Santa Clara tech firm hopes will further incentivize security researchers to find and report potential vulnerabilities in its hardware and software platforms.
Intel launched its bug bounty program to selected researchers last March. As it approaches its first anniversary, the program has been expanded and is now open to all security researchers.
Bounties have been raised across the board, with reports of critical vulnerabilities in Intel software, firmware, and hardware now attracting rewards of $7,500, $10,000, and $30,000, respectively.
In addition to the bounty hikes, the company has rolled out an entirely new program focused specifically on side channel vulnerabilities.
The award for disclosures under this scheme, which has been implemented in the wake of the Meltdown and Spectre vulnerabilities, is up to $250,000.
“At Intel, we believe that working with security researchers is a crucial part of identifying and mitigating potential security issues in our products,” said Rick Echevarria, vice president and general manager of platform security at Intel.
“Similar to other companies, one of the ways we’ve made this part of our operating model is through a bug bounty program.”
Discovered almost simultaneously by numerous independent security researchers around the world, the Meltdown and Spectre exploits take advantage of flaws related to ‘speculative execution’ – a feature on modern CPUs that helps boost performance by carrying out tasks ahead of time.
According to the researchers, a security loophole could allow unprivileged applications to not only monitor these tasks, which are held in the processor’s cache, but ultimately gain access to full system memory, potentially compromising passwords, encrypted communications, and financial information.
In its annual SEC filing, published on Friday, Intel revealed it is facing 32 lawsuits over the side channel exploits.