Components & Peripherals News
Intel Launches Bug Bounty Program To Find New Spectre-Related Vulnerabilities
As the fallout continues around the Spectre and Meltdown security flaws, Intel is launching a new bug bounty program focused on side channel vulnerabilities similar to Spectre.
The company on Wednesday announced that the new program will run through Dec. 31 and that Intel will offer awards of up to $250,000 for finding critical issues relating to side-channel vulnerabilities.
"Working closely with our industry partners and our customers, we encourage responsible and coordinated disclosure to improve the likelihood that users will have solutions available when security issues are first published," said Rick Echevarria, vice president and general manager of Platform Security at Intel, in a statement. "Our Bug Bounty Program supports this objective by creating a process whereby the security research community can inform us, directly and in a timely fashion, about potential exploits that its members discover."
Also, Intel said that it was expanding its existing bug bounty program, announced in March 2017, so that the program is open to all security researchers instead of being invitation only. It is also raising bounty awards across the board, including increasing the top reward for critical hardware flaws in its regular bug bounty program from $30,000 to $100,000.
The Spectre and Meltdown security flaws, which were revealed in January and had impacted chips from multiple vendors, including Intel, AMD, and ARM. The defects, which account for three variants of a side-channel analysis security issue in server and PC processors, potentially could enable hackers to access protected data.
Michael Goldstein, president and CEO of Fort Lauderdale, Fla.-based LAN Infotech, said that Spectre and Meltdown are particularly confusing security flaws, and he was "surprised by the confusion in the marketplace" when the flaws were first made public.
"There was a lot of confusion at first because these are complicated security issues … we saw some panic with our clients," he said.
Intel has made substantial investments in security on the heels of Spectre and Meltdown, including the recent formation of an internal security group, the Intel Product Assurance and Security Group.
"We will continue to evolve the program as needed to make it as effective as possible and to help us fulfill our security-first pledge," said Echevarria in the statement. "We believe these changes will enable us to more broadly engage the security research community, and provide better incentives for coordinated response and disclosure that help protect our customers and their data."