Intel, which is still wrestling with the fallout of the Meltdown and Spectre vulnerabilities, is expanding its bug-bounty program.
Whereas Intel’s bug-bounty program was previously invitation-only, it is now open to all security researchers. A new program to squish side-channel vulnerabilities will pay out awards up to $250,000. Other discoveries could earn you $100,000. More details about the program, including researcher requirements and eligible reports, are available on a dedicated Intel webpage.
Intel won’t pay out for all vulnerabilities, however: bugs discovered in pre-release versions of products aren’t eligible; that also goes for products no longer actively supported. The chipmaker will pay out bigger awards for “products that are less survivable,” i.e., hardware is the most “lucrative” because its vulnerabilities are often harder to repair, followed sequentially by firmware and software, which can often be fixed via patches.
Intel will pay out more for working exploits than vulnerabilities, and for higher-priority threats and security objectives. The amount of payout is also somewhat dependent on researchers submitting well-written reports with “complete reproduction instructions/proof-of-concept (PoC) material.”
Numerous companies have offered bug bounties over the past several years, including Tesla, Microsoft, Facebook, and even the Department of Defense. On paper, the idea is ideal: shell out a relatively miniscule amount of cash (at least by corporate standards) in order to unleash a crowd of smart people who can help plug your major and minor vulnerabilities. In 2016, then-Secretary of Defense Ash Carter said that a pilot bug-hunt for the Department of Defense uncovered 138 vulnerabilities at a cost of roughly $150,000—a substantial savings over hiring an outside contractor, which may have cost more than $1 million.
But a bug bounty can’t discover every single glaring vulnerability, especially since companies are (understandably) unwilling to give random outsiders access to every part of their infrastructure. So while bug bounties are a solid supplement to a company’s security strategy, they certainly shouldn’t be regarded as a full-on replacement for an in-house security team.