Intel has announced it is considerably expanding its bug bounty programme in the hopes of heading the next Spectre or Meltdown vulnerability off at the pass, including allowing anyone to participate.
Following the discovery and public disclosure of the still-largely-unpatched Spectre and Meltdown speculative execution vulnerabilities - deliberate design choices made in most modern processors to boost performance but which turn out to be vulnerable to attack, allowing ne'er-do-wells unfettered read access to protected regions of memory - Intel has pledged a renewed focus on the security of its products. As the first concrete sign of that, the company has announced a change to its bug bounty programme - whereby security researchers are offered cash rewards in exchange for finding security flaws in Intel products - which opens it up to the general public for the first time.
'In support of our recent security-first pledge, we’ve made several updates to our [bug bounty] programme,' Intel's Rick Echevarria announced late yesterday. 'We believe these changes will enable us to more broadly engage the security research community, and provide better incentives for coordinated response and disclosure that help protect our customers and their data.'
Perhaps the biggest change: The programme is shifting from an invitation-only platform to general-access, whereby all security researchers signed up to the HackerOne platform will be eligible for rewards. Those rewards, too, have been boosted: Bounties have been increased to a peak of $100,000 for many security issues, while a new initiative designed to root out side-channel vulnerabilities similar to Spectre and Meltdown, running through to the end of the year, is eligible for a top payout of $250,000.
'We will continue to evolve the programme as needed to make it as effective as possible and to help us fulfill our security-first pledge,' added Echevarria. 'Thank you, in advance, to all of those across the industry who choose to participate.'
February 17 2020 | 09:00