Intigriti
Description

Advanced Micro Devices, Inc., commonly abbreviated as AMD, is an American multinational semiconductor company based in Santa Clara, California, that develops computer processors and related technologies for business and consumer markets.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 1
$
2,000
5,000
15,000
30,000
30,000
Tier 1
$2,000 - $30,000
Tier 2
$
1,000
3,000
9,000
15,000
15,000
Tier 2
$1,000 - $15,000
Tier 3
$
500
1,500
5,000
10,000
10,000
Tier 3
$500 - $10,000
Rules of engagement
Not applicable
Not applicable
Not applicable
Not applicable

By participating in this Program, you (the “Researcher”, herein referred to as “You”) agree to the following Rules of Engagement:

  • You agree to follow Intigriti Code of Conduct

  • You agree to follow the Intigriti Researcher Terms and Conditions

  • You meet the Security Researcher and Submission Eligibility Criteria listed below for any AMD Bug Bounty Program. You chose to participate in and You agree to the AMD Program Conditions outlined herein.

  • You are required to report a discovered Vulnerability in a prompt and transparent manner through the Platform.

  • Your Submission is for an Asset (herein referred to as “product” and/or “technology”) that is identified as in scope of the AMD Program(s).

  • You agree that in the course of Your research under this Program, You will not attempt to access anyone else’s data or personal information, including by exploiting a Vulnerability. See Sensitive and Personal Information section below for additional details.

  • You agree to conduct Your research within the bounds of Ethical Hacking. See Safe Harbor section below for additional details.

  • You acknowledge that Bounty awards under this Program, including the timing, bounty amount and form of payments, are at AMD’s sole discretion and will be made by AMD on a case-by-case basis. See Bounty Award Payment section for additional details.

  • You agree to adhere to any embargoes and refrain from discussing or disclosing any Vulnerability information without AMD’s prior written consent (including POC’s on YouTube, Vimeo, etc.).

  • You agree to practice coordinated disclosure in all of Your security research conducted under the Program (this includes posting /sharing of information on any social media venue).

  • You agree to give AMD a perpetual license to freely use any information and/or communications ("feedback") you provide through the reporting process in the Program.

Safe Harbor

AMD agrees to provide commercially reasonable safe harbor and will not initiate a lawsuit or law enforcement investigations against Researchers who follow the Rules of Engagement and conduct research within the bounds of Ethical Hacking. Please note this waiver does not apply to security research that involves the networks, systems information, applications, devices, products or services of another party (i.e., any party other than AMD). AMD cannot and does not authorize security research on another party’s products or in the name of other entities or individuals. A gentle reminder that Ethical Hacking without permission from the owner may be illegal, even with the best intentions in mind.
Under the Program, AMD agrees to provide named acknowledgement on an AMD disclosure to the best of its ability.

  • For example, AMD will only use the information provided by You in a Submission.
  • Acknowledgements will include Your bug bounty platform username only, unless You request otherwise in Your Submission.
  • If multiple collaborators should be acknowledged, ensure all users are included in the Submission.
  • You may request to remain anonymous at any time prior to publication of a respective AMD disclosure.
  • AMD will not edit the acknowledged name unless it is proven to be inaccurate.
  • Additional limits may apply.

Bug Bounty Reporting

Please review the Security Researcher and Submission Eligibility Criteria below for the AMD Bug Bounty Program before providing a report (a “Submission”).
By submitting Your report, You agree to the Intigriti Code of Conduct, the Intigriti Researcher Terms and Conditions and the AMD Program Conditions documented herein. In the event the Program Conditions of the AMD Bug Bounty Program(s) conflict with the Intigriti T&Cs, the AMD Program Conditions shall prevail.

NOTE: AMD cannot and does not authorize security research on another party’s products or security research in the name of other entities or individuals.

AMD Security Researcher Eligibility Criteria – You agree to the following terms:

  1. You are at least 18 years old, and, if considered a minor in Your place of residence, You have Your parent’s or legal guardian’s permission prior to submitting a Submission.
  2. You are not a resident or national of a U.S. Government sanctioned or embargoed country.
  3. You are not on any U.S. Government list of sanctioned individuals.
  4. You are reporting in Your individual capacity or, if You are employed by a company or other entity and are reporting on behalf of Your employer, You have Your employer’s written approval to submit a Submission to AMD’s Bug Bounty Program.
  5. Within 6 months prior to submitting a report, You were:
    • not an employee of AMD, or an AMD subsidiary.
    • not under contract to AMD, or an AMD subsidiary.
    • neither a family nor household member of any individual who currently meets or met the criteria listed in the two bullet points directly above.
  6. You agree to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of Your finding with AMD.
  7. You did not and will not access any personal information that is not Your own, including by exploiting the Vulnerability.
  8. You did not and will not violate any applicable law or regulation, including laws prohibiting unauthorized access to information.
    • AMD does not consider testing that is done in compliance with the terms and conditions of this Bug Bounty Program as unauthorized.
  9. There may be additional restrictions on your eligibility to participate in the Bug Bounty Program depending upon your local laws and it is your responsibility to comply with any such applicable local laws.

Eligibility Requirements for Submissions:

Your Submission must include the information listed below (if any piece of information below is missing, Your Submission may be rejected):

  1. The name(s) of the AMD product and/or technology and the respective version information.
    • You must provide the AMD product and/or technology must be identified and must be an in scope product at the time of Your Submission.
    • The Vulnerability You identify must be original, one that has not been previously reported to AMD, nor publicly disclosed at the time of Your submission.
  2. Submission(s) must demonstrate that the potential Vulnerability has been proven against the most recent publicly available version of the product or technology.
  3. Detailed description of the potential security Vulnerability.
    • Your Submission should explain how exploitation of the potential Vulnerability can negatively impact confidentiality, integrity, and/or availability of the affected product(s).
  4. Proof-of-concept that details how to reproduce the potential security Vulnerability.
    Provide clear instructions, that if followed by an AMD product engineering team, clearly demonstrate successful exploitation of the reported issued on an impacted AMD product. The more details provided in the initial Submission, the easier it will be for AMD to evaluate Your information. If a potential security Vulnerability is not reproducible, Your Submission may be ineligible for a Bounty award.

Recommended Format for Submission Content:

  1. Overview: summary of the reported issues; statement of potential impact; name and specific version of the AMD product(s)/technology impacted.
  2. Details: detailed explanation of the reported issue; how it can be exploited; how exploiting it may negatively impact confidentiality, availability, and/or integrity of the affected products; likelihood of a successful exploit.
  3. Proof-of-concept (POC): instructions that, if followed by AMD product engineering team, clearly demonstrate successful exploitation of the reported issue on an impact AMD product; information on how any POC code was developed and complied; code required to execute the POC; description of the development environment and operation system revisions; compiler name, version, options used to compile.
  4. Scoring: Your proposed CVSS score, CVSS vector, and justifications for the selections; identify the Common Weakness Enumeration (CWE).

Sensitive and Personal Information:

Never attempt to access anyone else's data or personal information including by exploiting a Vulnerability. Such activity is unauthorized. If during Your testing You interacted with or obtained access to data or personal information of others, You must:
Stop your testing immediately and cease any activity that involves the data or personal information, or the Vulnerability.
Do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
Alert AMD immediately and support our investigation and mitigation efforts.

** Failure to comply with any of the above will immediately disqualify any Submission from bounty award eligibility **

If you violate the Rules of Engagement, the following may occur:

  1. Your Submission may be deemed ineligible.
  2. Denial of any or all potential bounty awards.
  3. Temporary or permanent revocation of Security Researcher eligibility, and/or
  4. Removal from current engagements and/or prohibition from future engagement eligibility.

Under the Program, AMD agrees to provide named acknowledgement on an AMD disclosure to the best of its ability.

  • For example, AMD will only use the information provided by You in a Submission.
  • Acknowledgements will include Your bug bounty platform username only, unless You request otherwise in Your Submission.
  • If multiple collaborators should be acknowledged, ensure all users are included in the Submission.
  • You may request to remain anonymous at any time prior to publication of a respective AMD disclosure.
  • AMD will not edit the acknowledged name unless it is proven to be inaccurate.
  • Additional limits may apply.
Domains

Hardware

Tier 1
Other

Vulnerabilities in the physical hardware of in scope products and technologies

Firmware

Tier 2
Other

Vulnerabilities in the firmware of in scope products and technologies

Software

Tier 3
Other

Vulnerabilities in drivers or other software required to operate in scope products and technologies

Out of Scope

Out of scope
Other
  • Optional tools
  • Product-independent software
  • Software for products and technologies for out of scope products
In scope

Thank you for your interest in the AMD Bug Bounty Program

The AMD Bug Bounty Program is a collaboration between AMD and the research community. AMD believes that collaboration with security researchers and promoting security research is an important step in helping to improve the security of AMD products. We encourage security researchers to work with us to help mitigate and coordinate the disclosure of potential security vulnerabilities and look forward to working with you!

Eligible AMD branded products and technologies that are in scope of the Program:

  • 3rd Gen AMD EPYC™ Processors (“Milan”)
    -Includes AMD EPYC 7xx3, 7xx3X
  • 4th Gen AMD EPYC™ Processors (“Genoa”)
    -Includes AMD EPYC 9xx4, 9xx4X
  • AMD Ryzen™ 7000 Series Mobile Processors with Radeon™ Graphics (“Rembrandt-R", "Dragon Range", "Mendocino", "Phoenix")
    -Includes AMD Ryzen 7020, 7035, 7040, 7045, Athlon™ Gold 7220U, Athlon™ Silver 7120U
  • AMD Radeon RX 7000 Series (“Navi 3x”) (Latest available version)
  • AMD Radeon PRO W7000 Series (“Navi 3x”) (Latest available version)
  • Xilinx Runtime (XRT) (Latest available version)
  • Bootgen (Latest available version)
  • Pensando Policy & Security Manager (PSM) (Latest available version)

Please refer to Developer Central for more information.

NOTE: You must purchase/obtain any AMD products on Your own.

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback below:
Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

Out of scope

General

  • Vulnerabilities discovered in products and technologies not listed as in scope above.
  • Non-current firmware/software versions
  • Duplicate reports
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks
  • Vulnerabilities that only work on software that no longer receive security updates
  • Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
  • Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
  • Reports that state that software is out of date/vulnerable without a proof-of-concept
  • Third-Party Products
  • Open-Source Software
  • Web Infrastructure

Vulnerabilities that are considered ineligible for a bounty award are as follows:

  • Submissions that require an attacker to physically open the case, including removing screws or breaking plastic casing (open chassis) to gain access to the internal hardware of a device.

  • Submissions that are entered by the Researcher under the AMD Vulnerability Disclosure Program

  • Products that are considered no longer eligible under AMD’s Security Support Policy

  • AMD cannot and does not authorize security research on another party’s products or security research in the name of other entities or individuals.

**These types of submissions may be reported to AMD directly by sending an email to psirt@amd.com.

Severity assessment
  • Bounty award payments under this Program, including the timing, Bounty amount and form of payments, are made at AMD’s sole discretion and will be made on a case-by-case basis.

  • AMD considers a range of factors when determining the award amount, including, the quality of the Submission (including respective proof-of-concept code), impact of the potential Vulnerability, type of Vulnerability, CVSS severity score, whether a proof-of-concept (“POC”) was provided and the quality of the POC. See Security Researcher and Submission Eligibility Criteria section.

  • AMD currently uses CVSS 3.1 standard for severity scoring and associated CVE Numbering rules. AMD will however, begin transition to CVSS 4.0 standards in the future. We request that submissions include 3.1 and 4.0 CVSS scoring until CVSS 3.1 is phased out at which time this website will be updated

  • AMD reserves the right to determine the severity of any potential Vulnerability reported.

FAQ

DEFINITIONS

Term Definition
Asset Hardware, processor, System-on-Chip (“SOC”), network, technology, infrastructure, application, software or other target, communicated by a Company in its Program, for the purpose of having its security assessed by You.
Bounty A monetary reward, that is awarded to You when You make the first Submission deemed to be a Vulnerability in an AMD Asset.
Ethical Hacking ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ The process of attempting to penetrate an Asset and bypass its security, for the purpose of identifying an Asset’s potential security Vulnerabilities and informing the Program owner of such Vulnerabilities. It may also entail an attempt to exploit encountered Vulnerabilities, in order to determine to what extent unauthorized access and/or malicious activities could be possible. Ethical hacking is considered “ethical” in the sense that the hacker has good intentions and discloses the Vulnerabilities it identifies to the Program owner , so that it can improve its Asset’s security.
Platform The platform accessible at https://app.intigriti.com.
Program An AMD security initiative published on the Platform, by means of which AMD authorizes You to test the security of the Asset described as in scope of the Program, for the purpose of reporting Submissions.
Program Conditions ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ The conditions, scope and requirements governing AMD’s Program to which the Researchers must agree, as detailed by AMD herein, and the Bounties, if any that AMD approves to be awarded to Researchers who participate in the Program.
Researcher(s) (You) ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ Independent security researchers (ethical hackers) that are active on the Platform and agree to participate in one or more Programs.
Submission Your description of a Vulnerability identified in an Asset, in the context of its participation in a Program. Submissions are submitted by You through the Platform. By submitting a Submission, You agree that AMD may take all steps needed to validate, assess, mitigate, and disclose the Vulnerability, and that You grant AMD all rights to Your Submission needed to do so.
Vulnerability ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ A possible weakness in the Asset that could be exploited by an actor on an unauthorized basis that enables access to, use of, or control over the Asset. A weakness may be introduced through a bug, defect, design- or execution error, absence of alignment to the most recent state of the art, or any other (technical) error . Examples of outcomes of a successful exploit of a possible weakness include an actor compromising security properties of an Asset such as integrity, availability or confidentiality, exposing or tampering with data available in or through such Asset, taking control of or escalating privilege within an Asset, or causing disruption of or denial of access to an Asset.
All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
no reputation No collaboration
Researchers
last contributors
logo
logo
logo
logo
logo
logo
leaderboard
logo
logo
logo
logo
logo
Last 90 day response times
avg. time first response
< 2 days
avg. time to decide
+3 weeks
avg. time to triage
< 4 days
Activity
7/22
AMD
closed a submission
7/21
logo
created a submission
7/19
AMD
closed a submission
7/18
AMD
closed a submission
7/18
AMD
closed a submission
7/18
AMD
closed a submission
7/18
AMD
closed a submission
7/17
AMD
closed a submission
7/16
logo
created a submission
7/15
AMD
closed a submission