michelangelus - Fotolia
Intel bug bounty programs widened after Meltdown and Spectre
Intel's bug bounty program expanded its scope and rewards for bugs across all Intel products, and the company added a new program for side-channel flaws like Meltdown and Spectre.
Intel has sweetened the pot for researchers who uncover bugs in its products and added a new bug bounty program for uncovering side-channel attacks, like the Meltdown and Spectre vulnerabilities made public early this year.
As the fallout from the Meltdown and Spectre disclosure continues to resonate throughout the industry, Intel opened a limited duration "Side Channel Program, scheduled to run through the end of 2018, with rewards as high as $250,000 available for side-channel exploits of Intel hardware through software.
Intel's bug bounty programs are now open to all, rather than open only to invitees. "[Intel is] shifting from an invitation-only program to a program that is open to all security researchers, significantly expanding the pool of eligible researchers," Rick Echevarria, vice president and general manager of platform security at Intel, wrote in an announcement about the Intel bug bounty program changes.
Modifications to the Intel bug bounty program include increases of the top bounty awards to a maximum of $100,000 for the most vexing flaws in Intel hardware. When the Intel bug bounty program was rolled out in March of last year, the top award for hardware flaws was $30,000. The Intel bug bounty program considers bugs in Intel software, hardware and firmware.
Top awards increased for vulnerabilities reported in Intel software and firmware, as well. The vendor offers up to $10,000 for software bugs -- up from $7,500 -- and up to $30,000 for firmware bugs, which was formerly capped at $10,000.
The pay scale is based on the CVSS severity rating of the submitted vulnerability, as shown in the table below, based on the Intel bug bounty program page.
The Intel bug bounty program homepage explained the criteria for receiving the maximum award: "The harder a vulnerability is to mitigate, the more we pay."
The Side Channel Program is the most recent change Intel has made in the aftermath of the Meltdown and Spectre disclosures. Last month, the chipmaker created a new group known as the Intel Product Assurance and Security Group, which Intel said will focus on cross-company efforts to improve product security.
In addition, Intel CEO Brian Krzanich wrote in a "security-first pledge" that the company would also "commit to adding incremental funding for academic and independent research into potential security threats."