Computer chip giant Intel has launched a bug bounty program with Belgium-based Intigriti, after switching from rival, US-based ethical hacking platform HackerOne.
Intel is applying a 12-month bonus incentive to bug bounty rewards on select lines of hardware and firmware, which lifts the payout ceiling for the most critical bugs from $100,000 to $150,000.
Intel’s Intigriti bug bounty program launched on December 6, while its HackerOne program, which launched in February 2018, will stop accepting submissions as of today (December 13).
Payout tiers
Payout scales are split into three tiers, with top-tier rewards of between $2,000 and $100,000 reserved for vulnerabilities in hardware such as microprocessors, chipsets, motherboards, and SSDs (solid state drives).
Payouts on second tier, firmware flaws range between $1,000 and $30,000, while the rewards for the lowest value, software-focused tier are between $500-$10,000.
But the application of a bonus multiplier of between 1.2 and 1.5 on certain targets will result in ‘exceptional’ bugs – a level above even ‘critical’ issues – attracting payouts of up to $45,000 for firmware and $150,000 for hardware.
The bonus scheme will apply to firmware and hardware within Intel, Pentium, Intel Celeron, and Intel Atom processors between May 11, 2021 and May 10, 2022.
At the end of the bonus period Intel will publish a blog post hailing the top 10 vulnerability submissions, while the two best performing security researchers will be invited to speak virtually at iSecCon, Intel’s internal security conference.
Intel’s web infrastructure falls outside the program’s scope. Web application vulnerability reports should instead be submitted by email via external.security.research@intel.com.
‘Community engagement’
Founded in 2016, Intigriti is a more recent arrival to the bug bounty scene than HackerOne – which launched in 2012 – and says it is already used by 40,000 security researchers.
A spokesperson for Intel told The Daily Swig: “As our contract with HackerOne came to an end, we evaluated services available in the market and found that Intigriti best meets our needs as we continue to evolve our bug bounty program.”
Stijn Jans, CEO and founder of Intigriti, told The Daily Swig: “It’s very exciting news for us. Throughout the discussions with Intel we have seen that they want to invest heavily in community engagement and education events.
He added: “There are several ways we invest in the researchers. Our community team is working with the community to create content, interviewing for example researchers about how their life is going and how they feel working with us and all the [bug bounty] platforms. We also host challenges that are very popular amongst researchers to educate them on new techniques.”
Inti De Ceukelaire, Intigriti’s head of hackers and a bug hunter himself, added: “Hackers are involved throughout the whole decision process at Intigriti so we are very hacker-focused, and we interact in a unique way with the community.
“We’re in a transition phase with Intel, so the focus right now is to make sure that we onboard the program that people know and love, make some minor adjustments to it along with the Intel team, incorporate some learnings they have from their other program, then make sure the hackers that have reported to them before are accommodated in the best way possible. That’s currently our number one priority.
“Once we believe that is finished, we will start engaging with some other very cool things that have not been done before.”