Intel® Bug Bounty Program Terms
Intel is transitioning bug bounty vulnerability management to Intigriti (https://www.intigriti.com/) on December 6, 2021. We will no longer be accepting NEW HackerOne reports after December 13, 2021. For any new reports, beginning December 6, 2021 please submit directly to https://go.intigriti.com/intel.
- To continue to submit tickets to the Intel® Bug Bounty program, please register with https://go.intigriti.com/intel-signup.
- Pending reports: During the month of December 2021, Intel will be correlating existing, open reports from HackerOne to the Intigriti platform. Researchers should not experience any interruptions in case handling. As always, you can contact us at email@example.com for any questions or concerns.
- Transitioned cases will be handled per the standard Intel PSIRT process. This transition does not impact any pre-existing disclosure plans. Established embargo periods will be upheld.
Security is a collaboration
Intel Corporation believes that forging relationships with security researchers and fostering security research is a crucial part of our Security First Pledge. We encourage security researchers to work with us to mitigate and coordinate the disclosure of potential security vulnerabilities.
Bug Bounty Reporting
Please review these Bug Bounty Program Terms before submitting a report. By submitting your report, you agree to the terms of the Intel® Bug Bounty Program.
If you follow the program terms, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. Please understand that this waiver does not apply to your security research that involves the networks, systems, information, applications, devices, products, or services of another party (which is not Intel). We cannot and do not authorize security research in the name of other entities.
Important: To report a potential security issue or vulnerability with an Intel branded product or technology, please submit a report via email to Intel PSIRT (firstname.lastname@example.org). Please, encrypt all email messages containing information related to potential security vulnerabilities using the Intel PSIRT PGP public key. If you are having trouble encrypting your vulnerability report or have any questions about the process send a message to Intel PSIRT (email@example.com). We will work with you to identify a method to securely transmit your vulnerability report.
In the report please include the following information
- The name(s) of the Intel product or technology and the respective version information.
- Detailed description of the potential security vulnerability.
- Proof-of-concept that details the reproduction of the potential security vulnerability.
The more details provided in the initial report, the easier it will be for Intel to evaluate your report.
Security Researcher and Reporter Eligibility Criteria
All criteria must be met in order to participate in the Bug Bounty Program.
- You are reporting in your individual capacity or, if you are employed by a company or other entity and are reporting on behalf of your employer, you have your employer’s written approval to submit a report to the Intel® Bug Bounty Program.
- You are at least 18 years of age, and, if considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to reporting.
- You are not a resident of a U.S. Government embargoed country.
- You are not on a U.S. Government list of sanctioned individuals.
- You are not currently nor have been an employee of Intel Corporation, or an Intel subsidiary, within 6 months prior to submitting a report.
- You are not currently nor have been under contract to Intel Corporation, or an Intel subsidiary, within 6 months prior to submitting a report.
- You are neither a family nor household member of any individual who currently or within the past 6 months meets or met the criteria listed in the two bullet points directly above.
- You agree to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of your finding with Intel.
- You did not and will not access any personal information that is not your own, including by exploiting the vulnerability.
- You did not and will not violate any applicable law or regulation, including laws prohibiting unauthorized access to information. To clarify, Intel does not view testing that is done in compliance with the terms and conditions of this bug bounty program as unauthorized.
- There may be additional restrictions on your eligibility to participate in the bug bounty depending upon your local laws.
If at any point while researching a vulnerability, you are unsure whether you should continue, immediately send a message to Intel PSIRT (firstname.lastname@example.org).
Sensitive and Personal Information
Never attempt to access anyone else's data or personal information including by exploiting a vulnerability. Such activity is unauthorized. If during your testing you interacted with or obtained access to data or personal information of others, you must:
- Stop your testing immediately and cease any activity that involves the data or personal information or the vulnerability.
- Do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
- Alert Intel immediately and support our investigation and mitigation efforts.
Failure to comply with any of the above will immediately disqualify any report from bounty award eligibility.
Eligible Reports (in scope)
To be eligible for bounty award consideration, your report must meet the following requirements:
- The report and any accompanying material sent to Intel has been encrypted with the Intel PSIRT public PGP key.
- The Intel products in your report correspond to an item explicitly listed below as “Eligible Intel branded products and technologies”.
- The vulnerability you identify must be original, not previously reported to Intel, and not publicly disclosed.
- The report must show that the potential vulnerability has been demonstrated against the most recent publicly available version of the affected product or technology.
The report must contain clear documentation that provides the following:
- An overview/summary of the reported vulnerability and potential impact.
- Detailed explanation of the reported vulnerability, how it can be exploited, the impact of the vulnerability being successfully exploited and likelihood of a successful exploit.
- The name and specific version of the Intel product(s) the potential vulnerability is reported on.
- Proof of Concept (POC) code or instructions that clearly demonstrates an exploit of the reported vulnerability. The POC must include instructions that if followed by the Intel product engineering team would successfully demonstrate existence of and exploitability of the vulnerability.
- Information on how any Proof of Concept (POC) code was developed and compiled. If appropriate, include the description of the development environment, including the compiler name, compiler version, options used to compile, and operating system revisions.
Eligible Intel branded products and technologies that are maintained and distributed by Intel:
- Microprocessors (inclusive of micro-code ROM + updates)
- Field Programmable Gate Array (FPGA) components
- Networking / communication components
- Motherboards / systems (e.g., Intel Compute Stick, NUC)
- Solid State Drives (SSD)
- UEFI BIOS (Tiano core components for which Intel is the only named maintainer)
- Intel® Management Engine
- Baseboard Management Controller (BMC)
- Device drivers
- Development tools
Intel encourages the reporting of all potential vulnerabilities.
Intel, at its sole discretion, may reject any submission that we determine does not meet these criteria above or that are deemed as ineligible as set forth below.
Ineligible Reports (out of scope)
The following are general categories of vulnerabilities that are considered ineligible for a bounty award:
- Submissions that require an attacker to physically open the case, including removing screws or breaking plastic casing (open chassis) to gain access to the internal hardware of a device.
- Vulnerabilities in pre-release product versions (e.g., Beta, Release Candidate).
- Vulnerabilities in product versions no longer under active support.
- Vulnerabilities already known to Intel. However, if you are the first external security researcher to identify and report a previously known vulnerability, you may still be eligible for a bounty award.
- Vulnerabilities present in any component of an Intel product where the root-cause vulnerability in the component has already been identified for another Intel product.
- Vulnerabilities in products and technologies that are not listed as “Eligible Intel branded products and technologies”, including vulnerabilities considered out of scope as defined below.
Any conduct by a security researcher or reporter that appears to be unlawful, malicious, or criminal in nature will immediately disqualify any submission from the program. Do not engage in extortion.
Bug Bounty Awards
Eligibility for any bug bounty award and award amount determinations are made at Intel’s sole discretion. These are some general guidelines that may vary from published documentation:
- based on the potential impact of the security vulnerability
- for well-written reports with complete reproduction instructions / proof-of-concept (PoC) material. See the eligible report requirements above.
- if a functional mitigation or fix is proposed along with the reported vulnerability.
- Intel will award a bounty award for the first eligible report of a security vulnerability.
- Awards are limited to one (1) bounty award per eligible root-cause vulnerability.
- Intel will award a bounty from $500 to $100,000 USD depending on the vulnerability type and originality, quality, and content of the report.
- Intel will publicly recognize awarded security researchers via Intel Security Advisories at or after the time of public disclosure of the vulnerability, in coordination with the security researcher who reported the vulnerability.
- Award amounts may change with time. Past rewards do not necessarily guarantee the same reward in the future.
Bounty Award Schedule
Each bug bounty report is individually evaluated based on the technical details provided in the report. Intel generally follows the processes below to evaluate and determine the severity of a reported potential security vulnerability.
- Vulnerability Assessment – Intel PSIRT ensures that all requested information has been provided for Triage. See the Bug Bounty Reporting section above for a list of required information.
- Triage - A team of Intel product engineers and security experts will determine if a vulnerability is valid and an eligible Intel product or technology is impacted.
- Vulnerability severity determination – Intel PSIRT works with the Intel product security engineers and Intel security experts to determine the severity and impact of a vulnerability.
Intel’s bug bounty awards range from $500 up to $100,000. We take into consideration a range of factors when determining the award amount for eligible reports. Those factors include, but are not limited to, the quality of the report, impact of the potential vulnerability, CVSS severity score, whether a POC was provided and the quality of the POC, type of vulnerability. The table below is a general guide to the potential award amounts. However, the awards may vary based on the factors mentioned above.