Security is a collaboration
Intel Corporation believes that working with skilled security researchers across the globe is a crucial part of identifying and mitigating security vulnerabilities in Intel products and technologies. Like other major technology companies, Intel incentivizes security researchers to report security vulnerabilities in Intel products and technologies to us to enable a coordinated response and minimize the risk to persons potentially subject to or affected by the vulnerability. To encourage closer collaboration with the security research community on these kinds of issues, Intel created its Bug Bounty Program. If you believe you've found a security vulnerability in an Intel product or technology, we encourage you to notify us through our program and work with us to mitigate and to coordinate the disclosure of the vulnerability to minimize the risk that exploitable information becomes publicly known before mitigations are available.
Please encrypt your vulnerability reports with GnuPG or PGP using the Intel Product Security Incident Response Team public PGP key, which can be found at www.intel.com/security. If you are having trouble encrypting your vulnerability report, send a message to firstname.lastname@example.org, our PSIRT team email address, to identify a method to securely transmit the vulnerability report.
Bug Bounty Reporting
The Intel Bug Bounty program is open to the public. Any security researcher can take part and report potential security vulnerabilities in Intel branded products & technologies to us. What follows are program requirements and additional information. By submitting your report to the Intel Bug Bounty program, you assert that you meet each of these requirements.
Reporter Requirements: (Must meet all for participation)
To be eligible for Bounty Award consideration, your report must meet the following requirements:
Intel, at its sole discretion, may reject any submission that it determines does not meet these criteria or that Intel rejects as ineligible as set forth below.
The aim of the Intel Bug Bounty program is to continually improve the security of Intel products and technologies and minimize the impact of security vulnerabilities on our users. The following are general categories of vulnerabilities that are considered ineligible for a Bounty Award:
Intel encourages the reporting of all potential vulnerabilities, and will carefully review each report. Intel reserves the right to reject any submission that we determine, at our sole discretion, falls into any of these ineligible categories of vulnerabilities, even if otherwise eligible for a bounty. Any conduct by a researcher or reporter that appears to be unlawful, malicious or criminal in nature will immediately disqualify any submission from the program.Sensitive and Personal Information and Eligibility
If you identify a vulnerability that could be used to obtain access to sensitive content, including information that could be used to identify an individual (personal information), you
Failure to comply with the above will immediately disqualify any report from Bounty Award eligibility.
Eligible Intel products and technologies:
Bug Bounty Awards
How Are Bounty Awards & Recognitions Determined?
Eligibility for any award, and award determinations are made at Intel’s sole discretion, under these general guidelines, and may vary from published amounts:
Permanent Award Schedule:
This is the umbrella Bug Bounty Award Schedule. In addition, there may be limited duration bounty programs targeting specific threats, vulnerabilities, or technologies. Vulnerabilities that do not qualify for a limited duration program will use this schedule, subject to Eligibility requirements defined above.
Intel Software, Firmware, and Hardware are in scope. The harder a vulnerability is to mitigate, the more we pay
|Vulnerability Severity||Intel Software||Intel Firmware||Intel Hardware|
|Critical (9.0 - 10.0)||Up to $10,000||Up to $30,000||Up to $100,000|
|High (7.0 - 8.9)||Up to $5,000||Up to $15,000||Up to $30,000|
|Medium (4.0 - 6.9)||Up to $1,500||Up to $3,000||Up to $5,000|
|Low (0.1 - 3.9)||Up to $500||Up to $1000||Up to $2,000|
Limited Duration Side Channel Program:
Through December 31st, 2018 Intel is conducting a bug bounty program focused on side channel vulnerabilities that are:
Customers are best protected when the research community and vendor work closely with one another. Through this special program, Intel hopes to accelerate new innovative research and learning around these types of security issues.
|Vulnerability Severity||Intel Hardware w/ Side Channel Exploit through Software|
|Critical (9.0 - 10.0)||Up to $250,000|
|High (7.0 - 8.9)||Up to $100,000|
|Medium (4.0 - 6.9)||Up to $20,000|
|Low (0.1 - 3.9)||Up to $5,000|
Note on Severity Rating:
Intel considers a large number of factors when determining the severity of a vulnerability for the purposes of determining a Bounty Award. Our first step is to use an approved CVSS 3.0 calculator to compute a base score. The base score is then adjusted up or down based on the security objectives and threat model of the given product.Bounty Award Payment:
Bounty Award arrangements under this program, including but not limited to the timing, bounty amount and form of payments, are at Intel’s sole discretion and will be made on a case-by-case basis. Intel generally makes Bounty Award payments in two separate installments upon the following milestones:
Intel makes no representations regarding the tax consequences of the payments Intel makes under this program. Participants in this program are responsible for any tax liability associated with Bounty Award payments. Intel reserves the right to alter the terms and conditions of this program at its sole discretion.Intellectual Property
By submitting your content to Intel (your “Submission”), you agree that Intel may take all steps needed to validate and mitigate the vulnerability, and that you grant Intel any rights to your Submission needed to do so.
Out of Scope Findings:
For issues related to Intel managed open source projects, please visit http://www.01.org/security.
Please provide as much information as possible, including:
A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see: