Intel has announced it will begin rewarding researchers who responsibly disclose security vulnerabilities they find in its products.
On 15 March, the Santa Clara-based multinational corporation and technology company unveiled its first-ever bug bounty. It made the announcement in Vancouver, British Columbia at the CanSecWest security conference, one of The State of Security‘s five gems in the world of information security conferences.
As quoted on its bug bounty page:
“We want to encourage researchers to identify issues and bring them to us directly so that we can take prompt steps to evaluate and correct them, and we want to recognize researchers for the work that they put in when researching a vulnerability. By partnering constructively with the security research community, we believe we will be better able to protect our customers.”
HackerOne, a platform which already manages the bug bounty programs for entities ranging from Twitter to the Pentagon and Army, is now responsible for managing Intel’s initiative.
This latest reporting program applies to Intel’s software, firmware, and hardware with a few notable exceptions. For instance, bug bounty hunters stand to gain nothing from exploring Intel Security (McAfee) products for vulnerabilities. The company has also deemed third-party products and open source, its web infrastructure, and acquisitions that it’s held for less than six month off-limits.
Researchers can net some respectable rewards for responsibly disclosing flaws they find in Intel’s in-scope products. For instance, with a CVSS 3.0 calculator determining a vulnerability’ base score, participants in the program could earn as much as $30,000 for reporting a “Critical” hole in the company’s hardware. “Critical” bugs found in firmware and software could gain for researchers awards with a maximum value of $10,000 and $7,500, respectively. Even reporting “Low”-severity vulnerabilities comes with an award that ranges in value from $500 to $1,000.
In this day and age, it’s important that every company and organization with the means to do so follows in Intel’s lead and launches a bug bounty program. For some advice on how to do so, please click here.