|Scope Type||Scope Name|
|ios_application||UEFI BIOS (Tiano core components for which Intel is only named maintainer)|
|other||Intel® Management Engine|
|other||Baseboard Management Controller (BMC)|
|other||Motherboard / System (e.g., Intel Compute Stick)|
|other||Solid State Drives|
|other||Processor (inclusive of micro-code ROM + updates)|
|other||Networking / Communication|
|other||Motherboard / System (e.g., Intel Compute Stick, NUC)|
|other||Solid State Drive|
Out of Scope
|Scope Type||Scope Name|
|other||https://security- center.intel.com __|
|other||https://www.mcafee.com/us/threat- center/product-security-bulletins.aspx __|
|other||Intel products intended for prototyping use or that are “open” in order to provide customers with debugging capability are out of Scope.|
Intel Corporation believes that working with skilled security researchers across the globe is a crucial part of identifying and mitigating security vulnerabilities in Intel products and technologies. Like other major technology companies, Intel incentivizes security researchers to report security vulnerabilities in Intel products and technologies to us to enable a coordinated response and minimize the risk to persons potentially subject to or affected by the vulnerability. To encourage closer collaboration with the security research community on these kinds of issues, Intel created its Bug Bounty Program. If you believe you've found a security vulnerability in an Intel product or technology, we encourage you to notify us through our program and work with us to mitigate and to coordinate the disclosure of the vulnerability to minimize the risk that exploitable information becomes publicly known before mitigations are available.
Please encrypt your vulnerability reports with GnuPG or PGP using the Intel Product Security Incident Response Team public PGP key, which can be found at https://security-center.intel.com/PGPPublicKey.aspx __. If you are having trouble encrypting your vulnerability report, send a message to secure [a] intel.com, our PSIRT team email address, to identify a method to securely transmit the vulnerability report.
The Intel Bug Bounty program is open to the public. Any security researcher can take part and report potential security vulnerabilities in Intel branded products & technologies to us. What follows are program requirements and additional information. By submitting your report to the Intel Bug Bounty program, you assert that you meet each of these requirements.
To be eligible for Bounty Award consideration, your report must meet the following requirements:
Intel, at its sole discretion, may reject any submission that it determines does not meet these criteria or that Intel rejects as ineligible as set forth below.
The aim of the Intel Bug Bounty program is to continually improve the security of Intel products and technologies and minimize the impact of security vulnerabilities on our users. The following are general categories of vulnerabilities that are considered ineligible for a Bounty Award:
Vulnerabilities in pre-release versions (e.g., Beta, Release Candidate)
Vulnerabilities in versions no longer under active support
Intel encourages the reporting of all potential vulnerabilities, and will carefully review each report. Intel reserves the right to reject any submission that we determine, at our sole discretion, falls into any of these ineligible categories of vulnerabilities, even if otherwise eligible for a bounty. Any conduct by a researcher or reporter that appears to be unlawful, malicious or criminal in nature will immediately disqualify any submission from the program.
If you identify a vulnerability that could be used to obtain access to sensitive content, including information that could be used to identify an individual (personal information), you must:
Failure to comply with the above will immediately disqualify any report from Bounty Award eligibility.
Eligibility for any award, and award determinations are made at Intel’s sole discretion, under these general guidelines, and may vary from published amounts:
Intel will award a Bounty for the first report of a vulnerability with sufficient details to enable reproduction by Intel.
Intel will award a Bounty from $500 to $100,000 USD depending on the nature of the vulnerability and quality & content of the report.
This is the umbrella Bug Bounty Award Schedule. In addition, there may be limited duration bounty programs targeting specific threats, vulnerabilities, or technologies. Vulnerabilities that do not qualify for a limited duration program will use this schedule, subject to Eligibility requirements defined above.
Vulnerability Severity | Intel Software | Intel Firmware | Intel Hardware
Critical (9.0 - 10.0) | Up to $10,000 | Up to $30,000 | Up to $100,000
High (7.0 - 8.9) | Up to $5,000 | Up to $15,000 | Up to $30,000
Medium (4.0 - 6.9) | Up to $1,500 | Up to $3,000 | Up to $5,000
Low (0.1 - 3.9) | Up to $500 | Up to $1000 | Up to $2,000
Intel considers a large number of factors when determining the severity of a vulnerability for the purposes of determining a Bounty Award. Our first step is to use an approved CVSS 3.0 calculator to compute a base score. The base score is then adjusted up or down based on the security objectives and threat model of the given product.
Bounty Award arrangements under this program, including but not limited to the timing, bounty amount and form of payments, are at Intel’s sole discretion and will be made on a case-by-case basis. Intel generally makes Bounty Award payments in two separate installments upon the following milestones:
Intel makes no representations regarding the tax consequences of the payments Intel makes under this program. Participants in this program are responsible for any tax liability associated with Bounty Award payments. Intel reserves the right to alter the terms and conditions of this program at its sole discretion.
By submitting your content to Intel (your “Submission”), you agree that Intel may take all steps needed to validate and mitigate the vulnerability, and that you grant Intel any rights to your Submission needed to do so.