Intel Corp has announced the launch of its first bug bounty program, offering rewards up to $30,000 for hardware vulnerabilities.
The program, announced at CanSecWest with HackerOne, enlists white hats all over the globe to hunt for bugs in their software, firmware and hardware.
“We want to encourage researchers to identify issues and bring them to us directly so that we can take prompt steps to evaluate and correct them, and we want to recognize researchers for the work that they put in when researching a vulnerability,” the company said. “By partnering constructively with the security research community, we believe we will be better able to protect our customers.”
Unsurprisingly, the harder a vulnerability is to mitigate, the more the chipmaker will pay. Intel said that it considers several factors when determining the severity of a vulnerability. The first step is to use the CVSS 3.0 calculator to compute a base score. The base score is then adjusted up or down based on the security objectives and threat model for the given product.
For software, rewards can range up to $7,500; for firmware, up to $10,000; and for hardware, up to $30,000.
Items that are not in the program scope include Intel Security (McAfee) products; third-party products and open source; and Intel’s web Infrastructure. Recent acquisitions also are not in-scope for the bug bounty program for a minimum period of six months after the acquisition is complete.