Intel dangles $250k award for bugs worse than Meltdown-Spectre
- 15 February, 2018 03:05
Intel has created a temporary bug bounty dedicated to finding the same type of CPU vulnerabilities as Meltdown and Spectre.
Intel's limited duration “side channel” program encourages researchers to find side channel attacks in its chips similar to the three attacks known as Meltdown and Spectre. Some of the bugs affect AMD and Arm too, but only Intel chips are affected by all three.
The root cause of any side channel vulnerabilities found need be in Intel hardware yet be exploitable via software.
The program will run until December 31, 2018 and offers researchers up to $250,000 if the severity of the issue is critical. Less severe bugs can attract awards from between $100,000 to below $5,000.
The severity is based on the CVSS 3.0 calculator. The highest reward goes to researchers who find hardware-rooted, software exploitable bug with a CVSS 3.0 score of at least 9.0. In other words, the bug will need to be more severe than the three attacks that comprised Meltdown and Spectre, each of which had a CVSS 3.0 score of 5.6.
Intel vice president Rick Echevarria said the new program and an increase in awards for its existing bug bounty were to support its recent “security-first pledge” announced by Intel CEO Brian Krzanich in the wake of Meltdown and Spectre’s public disclosure.
“We believe these changes will enable us to more broadly engage the security research community, and provide better incentives for coordinated response and disclosure that help protect our customers and their data,” said Echevarria.
Google's Project Zero researchers disclosed the Meltdown and Spectre attacks in June last year, triggering a large effort to mitigate them, involving operating system makers, OEMs, chip makers, hypervisor makers and cloud providers. The same bugs were also found independently by several other researchers.
Intel is raising the top award in its permanent bug bounty to $100,000. It launched this bounty 11 months ago, offering researchers up to $30,000 for reporting critical vulnerabilities in its chips. The program, which is coordinated by HackerOne, has so far paid researchers $93,000.
The permanent bounty includes Intel hardware, firmware like EUFI BIOS and Intel Management Engine, and Intel software, such as device drivers, applications and tools.
The award for the most critical firmware bug has been raised from $10,000 to up to $30,000. A critical software flaw can attract an award of up to $10,000, up from a maximum of $7,500.