Intel bug bounty programs widened after Meltdown and Spectre

Intel has sweetened the pot for researchers who uncover bugs in its products and  added a new bug bounty program for uncovering side channel attacks in its products like the Meltdown and Spectre vulnerabilities made public early this year.

As the fallout from the Meltdown and Spectre disclosure continues to resonate through the industry, Intel opened a limited duration "Side Channel Program," scheduled to run through the end of 2018, with rewards as high as $250,000 available for side channel exploits of Intel hardware through software.

Intel's bug bounty programs are now open to all, rather than open only to invitees. "Shifting from an invitation-only program to a program that is open to all security researchers, significantly expanding the pool of eligible researchers," Rick Echevarria, vice president and general manager of platform security at Intel, wrote in an announcement about the Intel bug bounty program changes.

Modifications to the Intel bug bounty program include increases of the top bounty awards to a maximum of up to $100,000 for the most vexing flaws in Intel hardware. When the Intel bug bounty program was rolled out in March of last year, the top award for hardware flaws was $30,000. The Intel bug bounty program considers bugs in Intel software, hardware and firmware; previously, the program was invitation-only.

Top awards increased for vulnerabilities reported in Intel software and firmware, as well: up to $10,000 is now on offer for software bugs (up from $7,500) and up to $30,000 for firmware bugs (formerly capped at $10,000).

The pay scale is based on the CVSS severity rating of the submitted vulnerability, as shown in the table below, based on the Intel bug bounty program page.

The harder a vulnerability is to mitigate, the more we pay.

The Intel bug bounty program home page explained the criteria for receiving the maximum award: "The harder a vulnerability is to mitigate, the more we pay."

The Side Channel Program is the most recent change Intel has made in the aftermath of the Meltdown and Spectre disclosures. Last month, the chip maker create a new group known as the Intel Product Assurance and Security Group, which Intel said will focus on cross-company efforts improve product security. In addition, Intel CEO Brian Krzanich wrote in a "Security-First Pledge" that the company would also "commit to adding incremental funding for academic and independent research into potential security threats."