Even the best CPUs can have security holes. To help identify them, Intel has announced an evolution to its existing bug bounty program, which rewards hackers that identify and report vulnerabilities in Intel's hardware and software releases. "Project Circuit Breaker", as it's been named, will work as a series of standalone, time-constrained events for "specific new platforms and technologies." Participants will get a chance to receive Intel-provided training and hardware, and will be able to work alongside Intel engineers in the discovery of hardware and software flaws.
Katie Noble, Intel's director for the Product Security Incident Response Team (PSIRT) and Bug Bounty efforts, said that “Project Circuit Breaker is possible thanks to our cutting-edge research community. This program is part of our effort to meet security researchers where they are and create more meaningful engagement. We invest in and host bug bounty programs because they attract new perspectives on how to challenge emerging security threats – and Project Circuit Breaker is the next step in collaborating with researchers to strengthen the industry’s security assurance practices, especially when it comes to hardware. We look forward to seeing how the program will evolve and to introducing new voices to the meaningful work that we do.”
Intel's efforts to increase the actual and perceived security of their products saw a forced boost in 2018, in wake of the Spectre/Meltdown crisis - the company even devised its own Fort Knox for legacy and actual security research by building a secret facility in Costa Rica.
Considering how Intel's bug bounty program was responsible for 97 of 113 externally-reported vulnerabilities in 2021, the impact of community-based security research seems to be an increasingly important piece of the company's ethos. External researchers that aren't part of Intel culture and know-how are likely better able to approach security problems (and their exploits) creatively. It also allows Intel to tap into the collective brain power of the cybersecurity community, who put in the work and hours required to identify these vulnerabilities, but only get paid should they hit the proverbial pot of gold.
"For the first time, security researchers are able to work directly with Intel’s product and security teams through live hacking events that may include bounty multipliers up to 4x," the Circuit Breaker main site reads. "Capture the flag contests and other training will help prepare researchers for challenges, which may include access to beta software and/or hardware and other unique opportunities."
Project Circuit Breaker is already ongoing, with the first time-boxed event, "Camping with Tigers" having launched in December with a team of 20 external security researchers. This particular bug-hunting sprint will end by May, and the participants will receive payouts according to the severity of identified vulnerabilities across three reward tiers. The announcement being today means that the format has been successful, and is now being integrated into Intel's product security efforts.
