The latest security information on Intel® products.

Bug Bounty Bonus: Pentium®, Celeron®, and Intel Atom® Processors

This program has ended on schedule.

Intel is announcing a new bonus incentive to our bug bounty program, focusing on firmware and hardware within Intel® Pentium®, Intel® Celeron®, and Intel Atom® processors (see below for full platform listing). This bonus incentive will be open to the public for a period of one year, May 11, 2021 - May 10, 2022 and will pay up to $150,000.00 for novel vulnerabilities (1.5x the normal maximum). Additionally, at the end of the one-year period, the top 10 submissions will be identified and recognized, and the top two researchers will be invited to speak (Virtually) at iSecCon (Intel’s internal security conference).

Bonus incentive open to the public –submissions must be received by 11:59pm PST on May 10, 2022 to be eligible for the bonus incentive.  Submissions received after that date are not eligible for the bonus incentive but may be eligible under Intel’s standard bug bounty program.

Bonus incentive award payout will be multiplier ranging from 1.2-1.5 the standing Bug Bounty payment. (See quick look chart below)

End-of-Year Award Package:

Within 3 Months of the end of the one-year window:

• Intel will select the top 10 research submissions and two researchers that will be invited to Intel iSecCon and potentially other speaking engagements.
• Intel will notify via email participants that were selected and winners of the top 10 submissions.
• Intel will issue a blog post outlining the top 10 research submissions received and crediting the researchers, if they consent to being publicly credited.
• Intel will email the two researchers who will be invited to speak at Intel iSecCon and other speaking engagements.

Example Topics of Interest:

• Escalation of Privilege​
• Information disclosure​
• Denial of Service ​
• Temporary
• Permanent ​
• Ability to alter/modify/change security boundaries

Reporting

Please review these Bug Bounty Program Terms before submitting a report.  By submitting your report, you agree to the terms of Intel® Bug Bounty Program. Intel terms outlined Intel® Bug Bounty Program Terms apply to this Special Bonus Program.

If you follow the program terms, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. Please understand that this waiver does not apply to your security research that involves the networks, systems, information, applications, devices, products, or services of another party (which is not Intel). We cannot and do not authorize security research in the name of other entities.

Important: To report a potential security issue or vulnerability with an Eligible Intel branded product or technology, please submit a report via email to Intel PSIRT Secure-bonus@intel.com.  Please, encrypt all email messages containing information related to potential security vulnerabilities using the Intel PSIRT PGP public key.  If you are having trouble encrypting your vulnerability report or have any questions about the process send a message to Intel PSIRT at Secure-bonus@intel.com. We will work with you to identify a method to securely transmit your vulnerability report.

In the report please include the following information:

• Include "Bug Bounty Bonus" in the title
• The name(s) of the Intel product or technology and the respective version information.
• Detailed description of the potential security vulnerability.
• Proof-of-concept that details the reproduction of the potential security vulnerability.

The more details provided in the initial report, the easier it will be for Intel to evaluate your report.

Eligible Reports (In Scope)

To be eligible for the Intel Bug Bounty Bonus incentive, submissions must be received by Intel between May 11, 2021 and 11:59pm PST on May 10, 2022.  Intel’s computers will be the official time-keeping device.  Additionally, submissions must meet the below eligibility criteria.

Details on eligibility to report vulnerability can be found at Intel® Bug Bounty Program Terms

The report must contain clear documentation that provides the following:

1. An overview/summary of the reported vulnerability and potential impact.
2. Detailed explanation of the reported vulnerability, how it can be exploited, the impact of the vulnerability being successfully exploited, and likelihood of a successful exploit.
3. The name and specific version of the Intel Bug Bounty Bonus incentive eligible Intel product(s) the potential vulnerability is reported on. 
4. Proof of Concept (POC) code or instructions that clearly demonstrates an exploit of the reported vulnerability. The POC must include instructions that, if followed by the Intel product engineering team, would successfully demonstrate existence and exploitability of the vulnerability. 
5. Information on how any POC code was developed and compiled. If appropriate, include the description of the development environment, including the compiler name, compiler version, options used to compile, and operating system revisions.  
6. Platform information where the reporter executed the POC (Operating System version, Microcode version, Output of cpuid-r, Kernel version and command line parameters.)

Eligible Intel branded products and technologies that are maintained and distributed by Intel, that are eligible for the Intel Bug Bounty Bonus incentive:

Intel, at its sole discretion, may reject any submission that we determine does not meet these criteria above or that are deemed as ineligible as set forth below.

Ineligible Reports (Out of Scope)

The following are general categories of vulnerabilities that are considered ineligible for a bounty award or an Intel Bug Bounty Bonus incentive:

• Vulnerabilities in products other than an Intel Bug Bounty Bonus incentive eligible product will not be eligible for an Intel Bug Bounty Bonus incentive.
• Vulnerabilities in pre-release product versions (e.g., Beta, Release Candidate).
• Vulnerabilities in product versions no longer under active support.
• Vulnerabilities already known to Intel. However, if you are the first external security researcher to identify and report a previously known vulnerability, you may still be eligible for a bounty award.
• Vulnerabilities present in any component of an Intel product where the root-cause vulnerability in the component has already been identified for another Intel product.
• Vulnerabilities in products and technologies that are not listed as “Eligible Intel branded products and technologies”, including vulnerabilities considered out of scope.

Any conduct by a security researcher or reporter that appears to be unlawful, malicious, or criminal in nature will immediately disqualify any submission from the program. Do not engage in extortion.

Submissions must be received by 11:59pm PST on May 10, 2022 to be eligible for the bonus incentive.  Intel’s computers will be the official time-keeping device.  Submissions received after that date are not eligible for the bonus incentive but may be eligible under Intel’s standard bug bounty program.

Bug Bounty Awards

Eligibility for any bug bounty award and award amount determinations are made at Intel’s sole discretion. These are some general guidelines:

• Awards may be greater:
• based on the potential impact of the security vulnerability
• for well-written reports with complete reproduction instructions/PoC material. See the eligible report requirements above.
• if a functional mitigation or fix is proposed along with the reported vulnerability.

 

• Intel will award a bounty award for the first eligible report of a security vulnerability.
• Awards are limited to one (1) bounty award per eligible root-cause vulnerability.
• From May 11, 2021 -May 10, 2022, Intel will award a bounty from $500 to $150,000 USD depending on the vulnerability type and originality, quality, and content of the report.
• Intel will publicly recognize awarded security researchers via Intel Security Advisories at or after the time of public disclosure of the vulnerability, in coordination with the security researcher who reported the vulnerability.
• Intel, at its sole discretion, will determine the top 10 research submissions and which researchers to invite to iSecCon or any other speaking engagement.
• Award amounts may change with time. Past awards do not necessarily guarantee the same award in the future.
• By making a submission, you agree to be bound by Intel’s decisions, which are final as to all matters.

Bounty Award Schedule

Each bug bounty report is individually evaluated based on the technical details provided in the report.  Intel generally follows the processes below to evaluate and determine the severity of a reported potential security vulnerability. 

• Vulnerability Assessment – Intel PSIRT ensures that all requested information has been provided for Triage. See the Bug Bounty Reporting section above for a list of required information.
• Triage – A team of Intel product engineers and security experts will determine if a vulnerability is valid and an eligible Intel product or technology is impacted.
• Vulnerability severity determination – Intel PSIRT works with the Intel product security engineers and Intel security experts to determine the severity and impact of a vulnerability.   

From May 11, 2021 - May 10, 2022, Intel’s bug bounty awards may range from $500 to $150,000 as reflected in this Special Bonus Program depending on Special Bonus Program eligibility.  We take into consideration a range of factors when determining the award amount for eligible reports. Those factors include but are not limited to: quality of the report, impact of the potential vulnerability, CVSS severity score, whether a POC was provided and the quality of the POC, and type of vulnerability. 

Bounty Award Payment

Bounty award arrangements under this program, including but not limited to the timing, bounty amount and form of payments, are at Intel’s sole discretion and will be made on a case-by-case basis. 

Intel makes no representations regarding the tax consequences of the payments Intel makes under this program. Participants in this program are responsible for any tax liability associated with bounty award payments.

Intellectual Property

By submitting your content to Intel (your “Submission”), you agree that Intel may take all steps needed to validate, mitigate, and disclose the vulnerability, and that you grant Intel any and all rights to your Submission needed to do so.

In Scope eligible products and technologies are listed above, if you are unsure whether a product or technology is eligible, contact Intel PSIRT at secure@intel.com

Intel encourages the reporting of all potential vulnerabilities. For vulnerabilities that are out of scope for the Bug Bounty Program please refer to our Vulnerability Handling Guidelines. 

Intel reserves the right to alter the terms and conditions of this program at its sole discretion, at any time without notice to you.

Privacy

Collection and use of your information in connection with this program are governed by Intel’s Privacy policy, available here.