Intel announced that it will expand its bug bounty program to include side-channel bugs, and it also increased the rewards it will give the researchers who find new flaws. The company hopes this will encourage researchers to uncover all the potential vulnerabilities in its chips so it can fix them before attackers find them.
Intel’s Need For Better Security
Last spring, Intel officially launched a bug bounty program to incentivize researchers to find flaws in its chips. Since then, researchers have found multiple Management Engine vulnerabilities as well as the recent Meltdown and Spectre flaws, two side-channel vulnerabilities.
Intel may get more than what it bargained for in terms of what security researchers will be able to find. Its products should ultimately become more secure, however, and both its customers, both consumers and businesses, should be safer against attacks, too.
Intel has also recently made a “security-first pledge,” which includes releasing fixes for older chips and developing new hardware architectures that prioritize security. Intel has been backed into the corner over the Meltdown and Spectre flaws over the past month, so such statements are also somewhat expected. It remains to be seen if the company’s future chips will indeed live up to that promise. However, at least so far, the company seems to be making the right moves to improve the security of its chips.
Improvements To Bug Bounty Program
New updates to the Intel Bug Bounty program include:
Shifting from an invitation-only program to a program that is open to all security researchers, significantly expanding the pool of eligible researchers.Offering a new program focused specifically on side channel vulnerabilities through Dec. 31, 2018. The award for disclosures under this program is up to $250,000.Raising bounty awards across the board, with awards of up to $100,000 for other areas.
More details about the program can be found at Intel’s security site or its HackerOne page. Intel also promised to further evolve the program to more effectively fulfill its security-first pledge.