Intel® Bug Bounty Program Terms
Security is a collaboration
Intel Corporation believes that forging relationships with security researchers and fostering security research is a crucial part of our Security First Pledge. We encourage security researchers to work with us to mitigate and coordinate the disclosure of potential security vulnerabilities.
Bug Bounty Reporting
Please review these Bug Bounty Program Terms before submitting a report. By submitting your report, you agree to the terms of Intel’s Bug Bounty Program.
If you follow the program terms, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. Please understand that this waiver does not apply to your security research that involves the networks, systems, information, applications, devices, products, or services of another party (which is not Intel). We cannot and do not authorize security research in the name of other entities.
Important: To report a potential security issue or vulnerability with an Intel branded product or technology, please submit a report via email to Intel PSIRT (email@example.com). Please, encrypt all email messages containing information related to potential security vulnerabilities using the Intel PSIRT PGP public key. If you are having trouble encrypting your vulnerability report or have any questions about the process send a message to Intel PSIRT (firstname.lastname@example.org). We will work with you to identify a method to securely transmit your vulnerability report.
In the report please include the following information
- The name(s) of the Intel product or technology and the respective version information.
- Detailed description of the potential security vulnerability.
- Proof-of-concept that details the reproduction of the potential security vulnerability.
The more details provided in the initial report, the easier it will be for Intel to evaluate your report.
Note: Intel uses the HackerOne platform to administer payments for the Intel Bug Bounty program
Security Researcher and Reporter Eligibility Criteria
All criteria must be met in order to participate in the Bug Bounty Program.
- You are reporting in your individual capacity or, if you are employed by a company or other entity and are reporting on behalf of your employer, you have your employer’s written approval to submit a report to Intel’s Bug Bounty program.
- You are at least 18 years of age, and, if considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to reporting.
- You are not a resident of a U.S. Government embargoed country.
- You are not on a U.S. Government list of sanctioned individuals.
- You are not currently nor have been an employee of Intel Corporation, or an Intel subsidiary, within 6 months prior to submitting a report.
- You are not currently nor have been under contract to Intel Corporation, or an Intel subsidiary, within 6 months prior to submitting a report.
- You are neither a family nor household member of any individual who currently or within the past 6 months meets or met the criteria listed in the two bullet points directly above.
- You agree to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of your finding with Intel.
- You did not and will not access any personal information that is not your own, including by exploiting the vulnerability.
- You did not and will not violate any applicable law or regulation, including laws prohibiting unauthorized access to information. To clarify, Intel does not view testing that is done in compliance with the terms and conditions of this bug bounty program as unauthorized.
- There may be additional restrictions on your eligibility to participate in the bug bounty depending upon your local laws.
If at any point while researching a vulnerability, you are unsure whether you should continue, immediately send a message to Intel PSIRT (email@example.com).
Sensitive and Personal Information
Never attempt to access anyone else's data or personal information including by exploiting a vulnerability. Such activity is unauthorized. If during your testing you interacted with or obtained access to data or personal information of others, you must:
- Stop your testing immediately and cease any activity that involves the data or personal information or the vulnerability.
- Do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
- Alert Intel immediately and support our investigation and mitigation efforts.
Failure to comply with any of the above will immediately disqualify any report from bounty award eligibility.
Eligible Reports (in scope)
To be eligible for bounty award consideration, your report must meet the following requirements:
- The report and any accompanying material sent to Intel has been encrypted with the Intel PSIRT public PGP key.
- The Intel products in your report correspond to an item explicitly listed below as “Eligible Intel branded products and technologies”.
- The vulnerability you identify must be original, not previously reported to Intel, and not publicly disclosed.
- The report must show that the potential vulnerability has been demonstrated against the most recent publicly available version of the affected product or technology.
The report must contain clear documentation that provides the following:
- An overview/summary of the reported vulnerability and potential impact.
- Detailed explanation of the reported vulnerability, how it can be exploited, the impact of the vulnerability being successfully exploited and likelihood of a successful exploit.
- The name and specific version of the Intel product(s) the potential vulnerability is reported on.
- Proof of Concept (POC) code or instructions that clearly demonstrates an exploit of the reported vulnerability. The POC must include instructions that if followed by the Intel product engineering team would successfully demonstrate existence of and exploitability of the vulnerability.
- Information on how any Proof of Concept (POC) code was developed and compiled. If appropriate, include the description of the development environment, including the compiler name, compiler version, options used to compile, and operating system revisions.
Eligible Intel branded products and technologies that are maintained and distributed by Intel:
- Microprocessors (inclusive of micro-code ROM + updates)
- Field Programmable Gate Array (FPGA) components
- Networking / communication components
- Motherboards / systems (e.g., Intel Compute Stick, NUC)
- Solid State Drives (SSD)
- UEFI BIOS (Tiano core components for which Intel is the only named maintainer)
- Intel® Management Engine
- Baseboard Management Controller (BMC)
- Device drivers
- Development tools
Intel encourages the reporting of all potential vulnerabilities.
Intel, at its sole discretion, may reject any submission that we determine does not meet these criteria above or that are deemed as ineligible as set forth below.
Ineligible Reports (out of scope)
The following are general categories of vulnerabilities that are considered ineligible for a bounty award:
- Submissions that require an attacker to physically open the case, including removing screws or breaking plastic casing (open chassis) to gain access to the internal hardware of a device.
- Vulnerabilities in pre-release product versions (e.g., Beta, Release Candidate).
- Vulnerabilities in product versions no longer under active support.
- Vulnerabilities already known to Intel. However, if you are the first external security researcher to identify and report a previously known vulnerability, you may still be eligible for a bounty award.
- Vulnerabilities present in any component of an Intel product where the root-cause vulnerability in the component has already been identified for another Intel product.
- Vulnerabilities in products and technologies that are not listed as “Eligible Intel branded products and technologies”, including vulnerabilities considered out of scope as defined below.
Any conduct by a security researcher or reporter that appears to be unlawful, malicious, or criminal in nature will immediately disqualify any submission from the program. Do not engage in extortion.
Bug Bounty Awards
Eligibility for any bug bounty award and award amount determinations are made at Intel’s sole discretion. These are some general guidelines that may vary from published documentation:
- Awards may be greater:
- based on the potential impact of the security vulnerability
- for well-written reports with complete reproduction instructions / proof-of-concept (PoC) material. See the eligible report requirements above.
- if a functional mitigation or fix is proposed along with the reported vulnerability.
- Intel will award a bounty award for the first eligible report of a security vulnerability.
- Awards are limited to one (1) bounty award per eligible root-cause vulnerability.
- Intel will award a bounty from $500 to $100,000 USD depending on the vulnerability type and originality, quality, and content of the report.
- Intel will publicly recognize awarded security researchers via Intel Security Advisories at or after the time of public disclosure of the vulnerability, in coordination with the security researcher who reported the vulnerability.
- Award amounts may change with time. Past rewards do not necessarily guarantee the same reward in the future.
Bounty Award Schedule
Each bug bounty report is individually evaluated based on the technical details provided in the report. Intel generally follows the processes below to evaluate and determine the severity of a reported potential security vulnerability.
- Vulnerability Assessment – Intel PSIRT ensures that all requested information has been provided for Triage. See the Bug Bounty Reporting section above for a list of required information.
- Triage - A team of Intel product engineers and security experts will determine if a vulnerability is valid and an eligible Intel product or technology is impacted.
- Vulnerability severity determination – Intel PSIRT works with the Intel product security engineers and Intel security experts to determine the severity and impact of a vulnerability.
Intel’s bug bounty awards range from $500 up to $100,000. We take into consideration a range of factors when determining the award amount for eligible reports. Those factors include, but are not limited to, the quality of the report, impact of the potential vulnerability, CVSS severity score, whether a POC was provided and the quality of the POC, type of vulnerability. The table below is a general guide to the potential award amounts. However, the awards may vary based on the factors mentioned above.
- Bounty Award Payment
Bounty award arrangements under this program, including but not limited to the timing, bounty amount and form of payments, are at Intel’s sole discretion and will be made on a case-by-case basis.
Intel makes no representations regarding the tax consequences of the payments Intel makes under this program. Participants in this program are responsible for any tax liability associated with bounty award payments.
By submitting your content to Intel (your “Submission”), you agree that Intel may take all steps needed to validate, mitigate, and disclose the vulnerability, and that you grant Intel any and all rights to your Submission needed to do so.
Specific Examples of Out of Scope Findings
- Intel’s web infrastructure, i.e., website domains owned and/or operated by Intel, are out of scope. Please send security vulnerability reports against intel.com and/or related web presence to firstname.lastname@example.org.
- Intel products intended for prototyping use or that are “open” in order to provide customers with debugging capability are out of scope.
- Intel freeware applications are out of scope.
- Intel-Maintained open source software projects fall out of scope. Please see www.01.org/security for information on reporting security vulnerabilities in Intel-maintained open source projects.
- Products of former Intel subsidiaries, such as McAfee and Wind River, are out of scope.
- Please send vulnerability reports against McAfee products to the McAfee product security team. For more information, visit https://www.mcafee.com/us/threat-center/product-security-bulletins.aspx.
In Scope eligible products and technologies are listed above, if you are unsure whether a product or technology is eligible, contact Intel PSIRT at email@example.com .
Intel encourages the reporting of all potential vulnerabilities. For vulnerabilities that are out of scope for the Bug Bounty Program please refer to our Vulnerability Handling Guidelines.
Intel reserves the right to alter the terms and conditions of this program at its sole discretion.
Report a Vulnerability
If you have information about a security issue or vulnerability with an Intel branded product or technology, please send an e-mail to firstname.lastname@example.org. Encrypt sensitive information using our PGP public key.
Please provide as much information as possible, including:
- The products and versions affected
- Detailed description of the vulnerability
- Information on known exploits
A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:
For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.