Intel Corporation

Security is a Collaboration

Intel Corporation believes that working with skilled security researchers across the globe is a crucial part of identifying and mitigating security vulnerabilities in Intel products and technologies. Like other major technology companies, Intel incentivizes security researchers to report security vulnerabilities in Intel products and technologies to us to enable a coordinated response and minimize the risk to persons potentially subject to or affected by the vulnerability. To encourage closer collaboration with the security research community on these kinds of issues, Intel created its Bug Bounty Program. If you believe you've found a security vulnerability in an Intel product or technology, we encourage you to notify us through our program and work with us to mitigate and to coordinate the disclosure of the vulnerability to minimize the risk that exploitable information becomes publicly known before mitigations are available.

Please encrypt your vulnerability reports with GnuPG or PGP using the Intel Product Security Incident Response Team public PGP key, which can be found at https://security-center.intel.com/PGPPublicKey.aspx __. If you are having trouble encrypting your vulnerability report, send a message to secure [a] intel.com, our PSIRT team email address, to identify a method to securely transmit the vulnerability report.

BUG BOUNTY REPORTING

The Intel Bug Bounty program is open to the public. Any security researcher can take part and report potential security vulnerabilities in Intel branded products & technologies to us. What follows are program requirements and additional information. By submitting your report to the Intel Bug Bounty program, you assert that you meet each of these requirements.

Reporter Requirements: (Must meet all for participation)

• You are reporting in an individual capacity or, if employed by another company, you have that company’s written approval to submit a report to Intel’s Bug Bounty program
• You are at least 18 years of age, and, if considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to reporting
• You are not a resident of a US-embargoed country
• You are not on a US list of sanctioned individuals
• You are not currently nor have been an employee of Intel Corporation, or an Intel subsidiary, within 6 months prior to submitting a report
• You are not currently nor have been under contract to Intel Corporation, or an Intel subsidiary, within 6 months prior to submitting a report
• You are not a family nor household member of any individual who currently or within the past 6 months meets or met the criteria listed in the two bullet points directly above
• You agree to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of your finding with Intel

Eligible Reports:

To be eligible for Bounty Award consideration, your report must meet the following requirements:

• Must be encrypted with the Intel PSIRT public PGP key, available at https://security-center.intel.com/PGPPublicKey.aspx __
• Must pertain to an item explicitly listed below as “Eligible Intel products and technologies”
• Must identify an original and previously unreported & not publicly disclosed vulnerability
• Must have been tested against the most recent publicly available version of the affected product or technology
• Must include clear documentation on the vulnerability and instructions on how to reproduce the vulnerability
• Must include your assessed CVSS v3 vector string, score, and rating using one of the approved CVSS v3 calculators referenced below.

Intel, at its sole discretion, may reject any submission that it determines does not meet these criteria or that Intel rejects as ineligible as set forth below.

Ineligible Reports:

The aim of the Intel Bug Bounty program is to continually improve the security of Intel products and technologies and minimize the impact of security vulnerabilities on our users. The following are general categories of vulnerabilities that are considered ineligible for a Bounty Award:

• Vulnerabilities in pre-release versions (e.g., Beta, Release Candidate)

• Vulnerabilities in versions no longer under active support

• Vulnerabilities already known to Intel
• Vulnerabilities present in any component of an Intel product where the root-cause vulnerability in the component has already been identified for another Intel product
• Vulnerabilities considered out of scope as defined below

Intel encourages the reporting of all potential vulnerabilities, and will carefully review each report. Intel reserves the right to reject any submission that we determine, at our sole discretion, falls into any of these ineligible categories of vulnerabilities, even if otherwise eligible for a bounty. Any conduct by a researcher or reporter that appears to be unlawful, malicious or criminal in nature will immediately disqualify any submission from the program.

Sensitive and Personal Information and Eligibility

If you identify a vulnerability that could be used to obtain access to sensitive content, including information that could be used to identify an individual (personal information), you must:

• Limit disclosure of the details of the vulnerability - use a need-to-know philosophy, and
• Take no actions that would result in unauthorized access to such information and work to prevent disclosure, and
• Alert Intel as soon as possible and support our investigation

Failure to comply with the above will immediately disqualify any report from Bounty Award eligibility.

ELIGIBLE INTEL PRODUCTS AND TECHNOLOGIES:

Intel Hardware

• Processor (inclusive of micro-code ROM + updates)
• Chipset
• FPGA
• Networking / Communication
• Motherboard / System (e.g., Intel Compute Stick, NUC)
• Solid State Drives

Intel Firmware

• UEFI BIOS (Tiano core components for which Intel is the only named maintainer)
• Intel® Management Engine
• Baseboard Management Controller (BMC)
• Motherboard / System (e.g., Intel Compute Stick)
• Solid State Drives

Intel Software

• Device driver
• Application
• Tool

BUG BOUNTY AWARDS

Philosophy:

• Awards are greater for products that are less survivable (HW>FW>SW)
• Awards are greater for working exploits than for vulnerabilities
• Awards are greater for higher priority threats / security objectives
• Awards are greater for well-written reports with complete reproduction instructions / proof-of-concept (PoC) material.

How Are Bounty Awards & Recognitions Determined?

Eligibility for any award, and award determinations are made at Intel’s sole discretion, under these general guidelines, and may vary from published amounts:

• Intel will award a Bounty for the first report of a vulnerability with sufficient details to enable reproduction by Intel.

• Intel will award a Bounty from $500 to $100,000 USD depending on the nature of the vulnerability and quality & content of the report.

• The first external report received on an internally known vulnerability will receive a maximum of $1,500 USD Award.
• The approved CVSS calculators which may be used for determining the baseline Severity of all reported vulnerabilities shall be either the NVD CVSSv3 calculator (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator __) or the FIRST CVSSv3 calculator ( https://www.first.org/cvss/calculator/3.0 __) at Intel’s sole discretion.
• Intel will publicly recognize security researchers on advisories and Bug Bounty collateral, at or after the time of public disclosure of the vulnerability, if & as agreed to by the researcher who reported the vulnerability.
• Awards are limited to one (1) Bounty Award per eligible root-cause vulnerability. If that vulnerable component is present in other Intel products, a Bounty Award will be paid only for the first reported product instance. Intel, at its sole discretion, will decide whether the reported vulnerability is the first reported product instance of that root-cause vulnerability.

Permanent Award Schedule:

This is the umbrella Bug Bounty Award Schedule. In addition, there may be limited duration bounty programs targeting specific threats, vulnerabilities, or technologies. Vulnerabilities that do not qualify for a limited duration program will use this schedule, subject to Eligibility requirements defined above.

Vulnerability Severity | Intel Software | Intel Firmware | Intel Hardware
---|---|---|---
Critical (9.0 - 10.0) | Up to $10,000 | Up to $30,000 | Up to $100,000
High (7.0 - 8.9) | Up to $5,000 | Up to $15,000 | Up to $30,000
Medium (4.0 - 6.9) | Up to $1,500 | Up to $3,000 | Up to $5,000
Low (0.1 - 3.9) | Up to $500 | Up to $1000 | Up to $2,000

Note on Severity Rating:

Intel considers a large number of factors when determining the severity of a vulnerability for the purposes of determining a Bounty Award. Our first step is to use an approved CVSS 3.0 calculator to compute a base score. The base score is then adjusted up or down based on the security objectives and threat model of the given product.

Bounty Award Payment:

Bounty Award arrangements under this program, including but not limited to the timing, bounty amount and form of payments, are at Intel’s sole discretion and will be made on a case-by-case basis. Intel generally makes Bounty Award payments in two separate installments upon the following milestones:

1. Partial payment when Intel has validated the reported issue
2. Remainder of the Bounty Award when coordinated disclosure of the issue has occurred

Intel makes no representations regarding the tax consequences of the payments Intel makes under this program. Participants in this program are responsible for any tax liability associated with Bounty Award payments. Intel reserves the right to alter the terms and conditions of this program at its sole discretion.

Intellectual Property

By submitting your content to Intel (your “Submission”), you agree that Intel may take all steps needed to validate and mitigate the vulnerability, and that you grant Intel any rights to your Submission needed to do so.

OUT OF SCOPE FINDINGS

• Intel’s web infrastructure, i.e., website domains owned and/or operated by Intel, fall out of Scope. Please send security vulnerability reports against intel.com and/or related web presence to external.security.research@intel.com.
• Third-party products that do or do not contain Intel-branded products or technology fall out of Scope. However, if the issue is root-caused to an Intel-branded product or technology, please submit your report under the appropriate Scope type above. Please remember to encrypt your report using the Intel PSIRT public key, which can be found at www.intel.com/security __
• Intel products intended for prototyping use or that are “open” in order to provide customers with debugging capability are out of Scope.
• Intel freeware applications are out of Scope. However, if you have a security vulnerability in an Intel freeware application, please send your report to the Intel Product Security Response Team (PSIRT) at secure [a] intel.com. Please remember to encrypt your report using the Intel PSIRT public key, which can be found at www.intel.com/security __.
• Recent acquisitions by Intel are out of Scope for the Bug Bounty program for a minimum period of 6 months after the acquisition is complete. If you have a security vulnerability in a product recently acquired by Intel, please send your report to the Intel Product Security Response Team (PSIRT) at secure [a] intel.com . Please remember to encrypt your report using the Intel PSIRT public key, which can be found at www.intel.com/security __.
• Intel-Maintained open source software projects fall out of Scope. Please see www.01.org/security __for information on reporting security vulnerabilities in Intel-maintained open source projects.
• Products of former Intel subsidiary McAfee fall out of Scope. Please send vulnerability reports against McAfee products to the McAfee product security team. For more information, visit https://www.mcafee.com/us/threat-center/product-security-bulletins.aspx __.