Our friends at Intel have an exciting announcement! Their bug bounty program is live. Read all about it below and check out more details on their HackerOne security page.
Intel launches its first bug bounty program.
Today, at the CanSecWest security conference, Intel launched its first Bug Bounty program targeted at Intel Products. We want to encourage researchers to identify issues and bring them to us directly so that we can take prompt steps to evaluate and correct them, and we want to recognize researchers for the work that they put in when researching a vulnerability. By partnering constructively with the security research community, we believe we will be better able to protect our customers.
Scope and Severity Ratings
Intel Software, Firmware, and Hardware are in-scope. The harder a vulnerability is to mitigate, the more we pay.
Intel considers several factors when determining the severity of a vulnerability. Our first step is to use the CVSS 3.0 calculator to compute a base score. The base score is then adjusted up or down based on the security objectives and threat model for the given product.
|Vulnerability Severity||Intel Software||Intel Firmware||Intel Hardware|
|Critical||Up to $7,500||Up to $10,000||Up to $30,000|
|High||Up to $2,500||Up to $5,000||Up to $10,000|
|Medium||Up to $1,000||Up to $1,500||Up to $2,000|
|Low||Up to $500||Up to $500||Up to $1,000|
A few details on items that are not in the program scope:
- Intel Security (McAfee) products are not in-scope for the bug bounty program.
- Third-party products and open source are not in-scope for the bug bounty program.
- Intel’s Web Infrastructure is not in-scope for the bug bounty program.
- Recent acquisitions are not in-scope for the bug bounty program for a minimum period of 6 months after the acquisition is complete.