Recommended reading

Intel Expands Bug Bounty Program To Include Side-Channel Attacks

News
By published

Intel announced that it will expand its bug bounty program to include side-channel bugs, and it also increased the rewards it will give the researchers who find new flaws. The company hopes this will encourage researchers to uncover all the potential vulnerabilities in its chips so it can fix them before attackers find them.

Intel’s Need For Better Security

Last spring, Intel officially launched a bug bounty program to incentivize researchers to find flaws in its chips. Since then, researchers have found multiple Management Engine vulnerabilities as well as the recent Meltdown and Spectre flaws, two side-channel vulnerabilities.

Intel may get more than what it bargained for in terms of what security researchers will be able to find. Its products should ultimately become more secure, however, and both its customers, both consumers and businesses, should be safer against attacks, too.

Intel has also recently made a “security-first pledge,” which includes releasing fixes for older chips and developing new hardware architectures that prioritize security. Intel has been backed into the corner over the Meltdown and Spectre flaws over the past month, so such statements are also somewhat expected. It remains to be seen if the company’s future chips will indeed live up to that promise. However, at least so far, the company seems to be making the right moves to improve the security of its chips.

Improvements To Bug Bounty Program

New updates to the Intel Bug Bounty program include:

Shifting from an invitation-only program to a program that is open to all security researchers, significantly expanding the pool of eligible researchers.Offering a new program focused specifically on side channel vulnerabilities through Dec. 31, 2018. The award for disclosures under this program is up to $250,000.Raising bounty awards across the board, with awards of up to $100,000 for other areas.

More details about the program can be found at Intel’s security site or its HackerOne page. Intel also promised to further evolve the program to more effectively fulfill its security-first pledge.

TOPICS
Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
3 Comments Comment from the forums
  • RCaron
    Why don't you say that this is the industry norm? That Intel is doing what everyone has always done with Academia.. seek support to find problems in the circuits they're building.

    Nice to see Intel finally asking others to check their work after so many bugs have been discovered in their CPU's, as opposed to burying or outright ignoring work that showed bugs, which Intel has done several times in the past.

    The only difference are these scholarships that Intel is offering to Academics, or industry professionals, that actually find something. This is nice, as it'll provide support for what is very difficult work.
    Reply
  • redgarl
    After years of prioritizing performance over security, Intel is now proposing silicon bounties...

    I cannot wait to see the impact on performance for patching their architectures.
    Reply
  • JamesSneed
    20707292 said:
    After years of prioritizing performance over security, Intel is now proposing silicon bounties...

    I cannot wait to see the impact on performance for patching their architectures.

    It probably will be negligible if the changes are in the silicon and not patches via microcode or OS code.
    Reply