Intel, at its sole discretion, may reject any submission that we determine does not meet these criteria above or that are deemed as ineligible as set forth below.
Ineligible Reports (Out of Scope)
The following are general categories of vulnerabilities that are considered ineligible for a bounty award or an Intel Bug Bounty Bonus incentive:
- Vulnerabilities in products other than an Intel Bug Bounty Bonus incentive eligible product will not be eligible for an Intel Bug Bounty Bonus incentive.
- Vulnerabilities in pre-release product versions (e.g., Beta, Release Candidate).
- Vulnerabilities in product versions no longer under active support.
- Vulnerabilities already known to Intel. However, if you are the first external security researcher to identify and report a previously known vulnerability, you may still be eligible for a bounty award.
- Vulnerabilities present in any component of an Intel product where the root-cause vulnerability in the component has already been identified for another Intel product.
- Vulnerabilities in products and technologies that are not listed as “Eligible Intel branded products and technologies”, including vulnerabilities considered out of scope.
Any conduct by a security researcher or reporter that appears to be unlawful, malicious, or criminal in nature will immediately disqualify any submission from the program. Do not engage in extortion.
Submissions must be received by 11:59pm PST on May 10, 2022 to be eligible for the bonus incentive. Intel’s computers will be the official time-keeping device. Submissions received after that date are not eligible for the bonus incentive but may be eligible under Intel’s standard bug bounty program.
Bug Bounty Awards
Eligibility for any bug bounty award and award amount determinations are made at Intel’s sole discretion. These are some general guidelines:
- Awards may be greater:
- based on the potential impact of the security vulnerability
- for well-written reports with complete reproduction instructions/PoC material. See the eligible report requirements above.
- if a functional mitigation or fix is proposed along with the reported vulnerability.
- Intel will award a bounty award for the first eligible report of a security vulnerability.
- Awards are limited to one (1) bounty award per eligible root-cause vulnerability.
- From May 11, 2021 -May 10, 2022, Intel will award a bounty from $500 to $150,000 USD depending on the vulnerability type and originality, quality, and content of the report.
- Intel will publicly recognize awarded security researchers via Intel Security Advisories at or after the time of public disclosure of the vulnerability, in coordination with the security researcher who reported the vulnerability.
- Intel, at its sole discretion, will determine the top 10 research submissions and which researchers to invite to iSecCon or any other speaking engagement.
- Award amounts may change with time. Past awards do not necessarily guarantee the same award in the future.
- By making a submission, you agree to be bound by Intel’s decisions, which are final as to all matters.
Bounty Award Schedule
Each bug bounty report is individually evaluated based on the technical details provided in the report. Intel generally follows the processes below to evaluate and determine the severity of a reported potential security vulnerability.
- Vulnerability Assessment – Intel PSIRT ensures that all requested information has been provided for Triage. See the Bug Bounty Reporting section above for a list of required information.
- Triage – A team of Intel product engineers and security experts will determine if a vulnerability is valid and an eligible Intel product or technology is impacted.
- Vulnerability severity determination – Intel PSIRT works with the Intel product security engineers and Intel security experts to determine the severity and impact of a vulnerability.
From May 11, 2021 - May 10, 2022, Intel’s bug bounty awards may range from $500 to $150,000 as reflected in this Special Bonus Program depending on Special Bonus Program eligibility. We take into consideration a range of factors when determining the award amount for eligible reports. Those factors include but are not limited to: quality of the report, impact of the potential vulnerability, CVSS severity score, whether a POC was provided and the quality of the POC, and type of vulnerability.
Bounty Award Payment
Bounty award arrangements under this program, including but not limited to the timing, bounty amount and form of payments, are at Intel’s sole discretion and will be made on a case-by-case basis.
Intel makes no representations regarding the tax consequences of the payments Intel makes under this program. Participants in this program are responsible for any tax liability associated with bounty award payments.
By submitting your content to Intel (your “Submission”), you agree that Intel may take all steps needed to validate, mitigate, and disclose the vulnerability, and that you grant Intel any and all rights to your Submission needed to do so.
In Scope eligible products and technologies are listed above, if you are unsure whether a product or technology is eligible, contact Intel PSIRT at firstname.lastname@example.org
Intel encourages the reporting of all potential vulnerabilities. For vulnerabilities that are out of scope for the Bug Bounty Program please refer to our Vulnerability Handling Guidelines.
Intel reserves the right to alter the terms and conditions of this program at its sole discretion, at any time without notice to you.