Intel raises rewards for bug bounty after flaw controversy
Company opens up program to all security researchers
Intel is hoping more bounties might lead to fewer meltdowns in the area of semiconductor security.
The chip giant said Thursday that it is opening up its bug bounty program to the public in the hopes that by casting a wider net, it will have better luck catching security flaws in its chips such as the recently found Spectre and Meltdown bugs. Those flaws, which became public in January, are said to have had the potential to affect every PC andmobile device in the world.
Ina blog post, RickEchevarria, Intel’s vice president and general manager of platform security, said the main changes in the bug bounty program include moving it from invitation only, to opening it to all security researchers, and offering a new program that runs until Dec. 31, 2018 that will pay up to $250,000 for the finding of “side channel vulnerabilities,” or the types of flaws similar to Spectre.
Additionally, Intel is raising bounties across the board up to $100,000. The
company’s bug bounty programwas first launched in March 2017.
“We believe these changes will enable us to more broadly engage the security research community, and provide better incentives for coordinated response and disclosure that help protect our customers and their data,” Echevarria wrote.
Echevarria added that the bounty program will “evolve” as it becomes necessary to make it more effective over time.
“We are acutely awarewe have more to do. Security is a top priority for Intel.” — Intel Chief Executive Brian Krzanich
The company has said it doesn’t expect to have security patches and other measures to address the entirety of the Spectre and Meltdown flaws until this fall.
In a conference call last month discussing the company’s fourth-quarter business results, Intel Chief Executive Brian Krzanich said, “We are acutely aware we have more to do. Security is a top priority for Intel. These circumstances are highly dynamic. Security has always been a priority (and) an ongoing journey.”
But for a company that claims to be so stringent about security — Intel acquired security-technology company McAfee in 2012 for $7.6 billion, then spun the company out last year and still owns 49 percent of McAfee — the extent of the Spectre and Meltdown flaws has been of a black eye for the company.