Intel Bug Bounty Program

Intel launches its first bug bounty program

At the CanSecWest Security conference on March 14, 2017, Intel launched its first Bug Bounty program targeted at Intel Products. We want to encourage researchers to identify issues and bring them to us directly so that we can take prompt steps to evaluate and correct them, and we want to recognize researchers for the work that they put in when researching a vulnerability. By partnering constructively with the security research community, we believe we will be better able to protect our customers.

Scope and Severity Ratings

Intel Software, Firmware, and Hardware are in scope. The harder a vulnerability is to mitigate, the more we pay

Vulnerability Severity Intel Software Intel Firmware Intel Hardware
Critical Up to $7,500 Up to $10,000 Up to $30,000
High Up to $2,500 Up to $5,000 Up to $10,000
Medium Up to $1,000 Up to $1,500 Up to $2,000
Low Up to $500 Up to $500 Up to $1,000

A few details on items that are not in the program scope:

  • Intel Security (McAfee) products are not in-scope for the bug bounty program.
  • Third-party products and open source are not in-scope for the bug bounty program.
  • Intel’s Web Infrastructure is not in-scope for the bug bounty program.
  • Recent acquisitions are not in-scope for the bug bounty program for a minimum period of 6 months after the acquisition is complete.

Participation Guidelines

As Intel launches an invitation-only bug bounty program, it is important that the selection of participants is done in a structured manner. What follows are hard requirements for any participant together with a set of considerations. Together, these help to inform Intel’s decision on whether or not to extend an invitation.

Requirements: (Must meet all for participation)

  • Participating in an individual capacity or with the permission of employer
  • Must be at least 18 years of age, and, if considered a minor in place of residence, you must get parent’s or legal guardian’s permission prior to participating.
  • Not a resident of a US-embargoed country
  • Not on a US list of sanctioned individuals
  • Not currently nor have been an employee of IntelCorporation or an Intel subsidiary within 6 months prior to submission
  • Not currently nor have been under contract to IntelCorporation or an Intel subsidiary within 6 months prior to submission
  • Not a family nor household member of an employee or an individual under contract as each is described in the two requirements listed directly above
  • If employed by another company must have that companies approval for Intelbug bounty participation
Considerations: (Desirable to meet all for participation)

  • Has a history of engaging in coordinated disclosure
  • Has shown an ability to find interesting vulnerabilities in Intel products
  • Works in a field that is aligned with Intel’s strategic direction
  • Works in a professional and timely manner

Satisfaction of these requirements and considerations by an applicant does not guarantee that the applicant will receive an invitation to participate in the program. Intel, at its sole discretion, will decide whether to extend an invitation to participate in the program and may revoke an invitation to participate at any time.

Bug Bounty Payments

Philosophy:

  • Payments are greater for products that are less survivable (HW>FW>SW)
  • Payments are greater for working exploits than for vulnerabilities
  • Payments are greater for higher priority threats / security objectives

Eligible Submissions:

To be eligible for payment, a submission must meet the following criteria:

  • Must be for an item explicitly listed below as in-scope for a bug bounty
  • Must identify an original and previously unreported vulnerability
  • Must have been tested against most recent publicly available version
  • Must include clear documentation on the vulnerability and instructions on how to reproduce the vulnerability
  • Must follow coordinated disclosure

Intel, at its sole discretion, may reject any submission that it determines does not meet these criteria or that Intel rejects as ineligible as set forth below.

Ineligible Submissions:

The aim of the bug bounty program is to continually improve the security of Intel products and minimize the impact of security on our users. The following are examples of vulnerabilities that do not meet the requirements for a bounty:

  • Vulnerabilities in pre-release versions (e.g., Beta, Release Candidate)
  • Vulnerabilities in versions no longer under active support
  • Vulnerabilities already known to Intel
  • Vulnerabilities present in any component of an Intel product where the root-cause vulnerability in the component has already been identified for another Intel product

Intel encourages the submission of all vulnerabilities and will carefully review each. Intel reserves the right to reject any submission that we determine, at our sole discretion, falls into any of these ineligible categories of vulnerabilities, even if otherwise eligible for a bounty.

How are payment amounts set?

Payment determinations are made at Intel’s sole discretion.

  • Intel will pay from $500 to $30,000 USD depending on the nature of the vulnerability and quality of submission
  • Intel will pay for the first submission of a vulnerability with sufficient details to enable reproduction by Intel
  • The first external report received on an internally known issue will receive a maximum of $1,500 USD
  • Intel will publicly recognize security researchers on advisories and bug bounty collateral if agreed to by the researcher

The payment ranges for eligible submissions will be based upon the following criteria: Scope:

Intel hardware

  • Processor (inclusive of micro-code ROM + updates)
  • Chipset
  • FPGA
  • Networking / Communication
  • Motherboard / System (e.g., Intel Compute Stick, NUC)
  • Solid State Drive

Intel firmware

  • UEFI BIOS (Tiano core components for which Intel is only named maintainer)
  • Intel Management Engine
  • Baseboard Management Controller (BMC)
  • Motherboard / System (e.g., Intel Compute Stick)
  • Solid State Drives

Intel software

  • Device driver
  • Application
  • Tool

Payment Schedule:

Vulnerability Severity Intel Software Intel Firmware Intel Hardware
Critical Up to $7,500 Up to $10,000 Up to $30,000
High Up to $2,500 Up to $5,000 Up to $10,000
Medium Up to $1,000 Up to $1,500 Up to $2,000
Low Up to $500 Up to $500 Up to $1,000

* High quality reports (those that are well written and provide complete instructions and information for Intel) lead to higher payouts

Severity Rating:

Intel considers a large number of factors when determining the severity of a vulnerability. Our first step is to use the CVSS 3.0 calculator to compute a base score. The base score is then adjusted up or down based on the security objectives and threat model of the given product.

Certain Out-of-Scope Products

Payment determinations are made at Intel’s sole discretion.

  • McAfee products are not in-scope for the bug bounty program
  • Third-party products and open source packages are not in-scope for the bug bounty program
  • Intel products intended for prototyping use, or which are “open” in order to provide customers with debugging capability, are not in-scope for the bug bounty program
  • Intel freeware applications are not in-scope for the bug bounty program
  • Intel’s Web Infrastructure is not in-scope for the bug bounty program
  • Recent acquisitions by Intel are not in-scope for the bug bounty program for a minimum period of 6 months after the acquisition is complete

Payments are limited to (1) bug bounty per eligible root-cause vulnerability. If that vulnerable component is present in other Intel products, a bounty will be paid only for the first reported product instance. Intel, at its sole discretion, will decide whether the reported vulnerability is the first reported product instance of that root-cause vulnerability.

Payment arrangements under this program, including but not limited to the timing and form of payments, are at Intel’s sole discretion and will be made on a case-by-case basis. Intel’s preference is to make program payments after the vulnerability is resolved. Intel makes no representations regarding the tax consequences of the payments Intel makes under this program. Participants in this program are responsible for any tax liability associated with payments

Download Participation Guidelines

Reporting a security issue

If you have information about a security issue or vulnerability with an Intel product, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

  • The products and versions affected
  • Detailed description of the vulnerability
  • Information on known exploits

  • A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

  • Vulnerability handling guidelines

  • Need product support?
    The secure@intel.com e-mail address should only be used for reporting security issues.

    If you...
  • Have questions about the security features of an Intel product
  • Require technical support
  • Want product updates or patches

  • Please visit Support & Downloads.