14 DAY TRIAL // Lagging behind many other tech companies, Intel has finally launched a bug bounty program, offering rewards of up to $30,000 for hardware vulnerabilities.
The program is being run via HackerOne, which enlists white hats from all over the globe to find security vulnerabilities in various software, firmware or hardware, depending on the hiring company.
"We want to encourage researchers to identify issues and bring them to us directly so that we can take prompt steps to evaluate and correct them, and we want to recognize researchers for the work that they put in when researching a vulnerability. By partnering constructively with the security research community, we believe we will be better able to protect our customers," reads the announcement.
Get a score, get some cash
As per usual with this type of programs, the harder a vulnerability is to mitigate, the more Intel will pay white hats.
The company takes into account several factors when determining the severity of a vulnerability. It first uses the CVSS 3.0 calculator to compute a base score, which is then adjusted based on the security objectives and threat model for the given product.
For instance, a critical vulnerability for Intel Software will pay up to $7,500, while one found in the firmware will pay up to $10,000. The highest prize comes for vulnerabilities found in Intel hardware, where the limit was set to $30,000.
The Intel Security products are not in-scope for the bug bounty programs, and neither are any third-party products and open source. Intel's Web Infrastructure is also not subject to the bug bounty program. Any acquisitions the company makes are not included in the bug bounty program for the first six months after the deal is complete.
The fact that more and more companies turn to bug bounty programs is encouraging because it indicates they take security seriously. Some giants like Google have their own programs set in place, while others work together with HackerOne to run them.