After keeping a slow pace when compared with its rivals, Intel is finally back on track with the launch of its first-ever bug bounty program.
The company is offering a reward of up to $30,000 to researchers for exposing hardware vulnerabilities.
On March 15, Intel introduced the bug bounty program at the CanSecWest security conference, which targets the company's products.
The company would like to inspire investigators to recognize faults and inform it directly, which will aid Intel in taking prompt action. The program will also help Intel in assessing and rectifying the vulnerabilities immediately. The program will be operated via HackerOne, which appoints white hats from across the world to identify security vulnerabilities in different hardware, software and firmware.
Intel wants to acknowledge investigators for their effort in identifying the vulnerability and has thus proposed a reward.
"By partnering constructively with the security research community, we believe we will be better able to protect our customers," noted the announcement from the company.
More Tricky, More Money
According to the bug bounty program specifications, the more difficult a vulnerability will be to identify, the more money a white hat will get from Intel. The company considers several components while judging the threat of a vulnerability.
Firstly, it works with the CVSS 3.0 calculator to estimate a basic score. After that, the score gets modified on the basis of security purposes, as well as threat model for the particular product. The payment from Intel to the bounty hunter will be based on these parameters.
To illustrate, a crucial vulnerability found in the Intel software will be equal to $7,500, whereas one spotted in the firmware will entitle a hunter to $10,000. The highest amount of money will go to the one who will identify the vulnerabilities in Intel hardware.
There are a few products which are not allowed in the bug bounty program and are detailed below.
Intel Security programs — which are known as McAfee — are not eligible for the bug bounty program. Third-party products or open source are not in the list of eligible products for the program either.
The Web Infrastructure of Intel is also not suitable for the bug bounty program. Any recent additions are not allowed in the program for a minimum period of first six months, after the procurement is complete.
If a large number of tech companies take the same initiative as Intel, the bug bounty program will be great news for the community. Why? As it will prove that the companies are concerned about security. A few companies such as Google already have their personal program, but most of the companies work in tandem with HackerOne to conduct a bug bounty program.
Photo: Takuya Oikawa | Flickr