February 14, 2018: Post-Meltdown Intel Tries to Save Face with $250,000 Bug Bounty Program

Catalin Cimpanu from Bleeping Computer writes:

Intel has launched a public bug bounty program with individual rewards going as far as $250,000, the company said today in a press release. Intel had previously run a bug bounty program, but that one was limited to submissions from a few selected security researchers only.

The new bug bounty program will be hosted on the HackerOne platform, and Intel has opened up its hardware, firmware, and software products for the occasion. Almost all Intel products are up for hacking

Any security researcher with a HackerOne account can now hunt for a selected list of bugs in Intel products such as CPUs, chipset code, SSDs, motherboards, networking cards, and their respective firmware, drivers, and OS-level applications.

In-depth details of what’s in or out of scope are available on Intel’s regular bug bounty page and its new HackerOne profile.

Based on the bugs they find, researchers could be earning anything from $500 to $250,000. Intel is running two bug bounty programs

There are actually two bug bounty programs. One is the normal bug bounty program with rewards from $500 to $100,000, and a second bug bounty program for side channel bugs.

The top dollars will go to researchers who discover side-channel bugs, and researchers could make from $5,000 to $250,000. This program will end on December 31, 2018.

According to Intel, side channel bugs are those vulnerabilities rooted in the component’s hardware design and which are exploitable via local software. Meltdown and Spectre are side channel bugs.

Intel says it will pay researchers based on the vulnerability’s CVSS v3.0 severity scale.
Vulnerability Severity Intel Software Intel Firmware Intel Hardware
Critical (9.0 – 10.0) Up to $10,000 Up to $30,000 Up to $100,000
High (7.0 – 8.9) Up to $5,000 Up to $15,000 Up to $30,000
Medium (4.0 – 6.9) Up to $1,500 Up to $3,000 Up to $5,000
Low (0.1 – 3.9) Up to $500 Up to $1000 Up to $2,000
Vulnerability Severity Intel Hardware w/ Side Channel Exploit through Software
Critical (9.0 – 10.0) Up to $250,000
High (7.0 – 8.9) Up to $100,000
Medium (4.0 – 6.9) Up to $20,000
Low (0.1 – 3.9) Up to $5,000

Meltdown (CVE-2017-5754), Spectre Variant 1 (CVE-2017-5753), and Spectre Variant 2 (CVE-2017-5715) all have the same CVSS severity score of 5.9. This means that according to the table above, each of these bugs would have brought in a maximum of $20,000 for researchers, and a total of $60,000.
It’s a PR stunt. The problem wasn’t bug reporting.

Through its new bug bounty program, Intel is trying to wash away the image of a disastrous patching process. In reality, the new bug bounty program is nothing more than a PR move, and even if it had been in place last year, it wouldn’t have helped.

Intel received notice of the Meltdown and Spectre bugs in June 2017, but it took four months to notify downstream OEMs about issues —doing so in November.

Despite this, when public disclosure came around, Intel did not have CPU microcode patches available for OEM vendors, and the Meltdown and Spectre flaws are still largely unpatched even today.

Even if news of the Meltdown and Spectre flaws became public a week before the planned public disclosure, Intel can’t use this as an excuse.

The company wouldn’t have had CPU microcode patches available, anyway, nor would OEMs have had enough time to integrate those microcode updates into BIOS and firmware updates for the various desktop, laptops, or devices that used affected Intel CPUs.

The problem wasn’t researchers getting in contact with the company, nor Intel paying researchers for their findings, but Intel patching its damn hardware, which Intel miserably failed to do with a six-month disclosure deadline.