Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/14/2018
04:35 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Intel Expands Bug Bounty Program, Offers up to $250K

Microprocessor giant adds vulnerability-finding category for Meltdown, Spectre-type flaws.

Intel is doubling down on its existing bug bounty program by opening it up to all security researchers and adding an entire category for vulnerabilities akin to the dangerous Meltdown and Spectre flaws recently exposed in its microprocessors.

The chip company today announced that it had expanded its nearly one-year old bug bounty program in an effort to forge closer ties to the security research community and offer bigger financial incentives for coordinated response and disclosure of flaws in its products.

Intel previously ran an invitation-only bug bounty program. In addition to opening up its vulnerability compensation program to all researchers, Intel also added a section specifically for side-channel vulnerabilities through Dec. 31 of this year. Researchers who discover these types of bugs can earn up to $250,000, the company said.

"In support of our recent security-first pledge, we’ve made several updates to our program. We believe these changes will enable us to more broadly engage the security research community, and provide better incentives for coordinated response and disclosure that help protect our customers and their data," Rick Echevarria, vice president and general manager of platform security at Intel wrote in a post announcing the changes.

Intel also raised bug bounty award amounts overall, with grants up to $100,000. The company's program runs on HackerOne's platform

These changes to the program come in the wake of the major disclosure last month of critical flaws in most modern microprocessors, including Intel's: a common method used for performance optimization could allow an attacker to read sensitive system memory, which could contain passwords, encryption keys, and emails, for example.

The so-called Meltdown and Spectre hardware vulnerabilities allow for so-called side-channel attacks. With Meltdown, sensitive information in the kernel memory is at risk of being accessed nefariously; with Spectre, a user application could read the kernel memory as well as that of another application. The end result: an attacker could read sensitive system memory containing passwords, encryption keys, and emails — and use that information to help craft a local attack.

Intel's new bug bounty program for side-channel vulns focuses on vulnerabilities in hardware that are exploitable in software, the company said. "Through this special program, Intel hopes to accelerate new innovative research and learning around these types of security issues," Intel said in a post detailing the short-term bounty.

The bug bounties for the side-channel flaws range from up to $5,000 for low-severity flaws to $250,000 for critical flaws.

"Like many large, complex organizations, Intel is searching for the right incentive model to help protect their users and supply chain partners. It isn't as simple as throwing more money at a problem to really secure the Intel ecosystem," says Katie Moussouris, founder of Luta Security. "Careful reward structures that are lawful for the company, the participating hackers, the partners, and the customers take a considerable amount more to develop, so I hope for all of society's sake that chip manufacturers and other members of the global critical computing infrastructure evolve thoughtfully to bounty smarter, not harder."

Intel has been under fire for the fallout experienced by the initial firmware fixes it released for Meltdown and Spectre. The company issued an unusual advisory late last month  urging its customers and partners to refrain from applying some of the firmware patches. Navin Shenoy, executive vice president and general manager of Intel's Data Center, called for customers and OEMs to halt installation of patches for its Broadwell and Haswell microprocessors after widespread reports of spontaneous rebooting of systems affixed with the new patches.

Meanwhile, Intel CEO Brian Krzanich told analysts in an earnings call late last month that the company will roll out new products later this year that mitigate the Meltdown and Spectre vulnerabilities.

Alex Rice, co-founder and CTO of HackerOne, says Intel's short-term bounty for side-channel vulnerabilities makes sense. "Bounty programs are more powerful the more they incentivize the specific type of research that would be most valuable to the company," he says. "In Intel's case, side-channel attacks are a highly complex specialization that their team has invested heavily in defending against."

Related Content:

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
CVE-2020-5217
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
CVE-2020-5223
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.