By participating in this Program, you (the “Researcher”, herein referred to as “You”) agree to the following Rules of Engagement:
You agree to follow Intigriti Code of Conduct
You agree to follow the Intigriti Researcher Terms and Conditions
You meet the Security Researcher and Submission Eligibility Criteria listed below for any AMD Bug Bounty Program. You chose to participate in and You agree to the AMD Program Conditions outlined herein.
You are required to report a discovered Vulnerability in a prompt and transparent manner through the Platform.
Your Submission is for an Asset (herein referred to as “product” and/or “technology”) that is identified as in scope of the AMD Program(s).
You agree that in the course of Your research under this Program, You will not attempt to access anyone else’s data or personal information, including by exploiting a Vulnerability. See Sensitive and Personal Information section below for additional details.
You agree to conduct Your research within the bounds of Ethical Hacking. See Safe Harbor section below for additional details.
You acknowledge that Bounty awards under this Program, including the timing, bounty amount and form of payments, are at AMD’s sole discretion and will be made by AMD on a case-by-case basis. See Bounty Award Payment section for additional details.
You agree to adhere to any embargoes and refrain from discussing or disclosing any Vulnerability information without AMD’s prior written consent (including POC’s on YouTube, Vimeo, etc.).
You agree to practice coordinated disclosure in all of Your security research conducted under the Program (this includes posting /sharing of information on any social media venue).
You agree to give AMD a perpetual license to freely use any information and/or communications ("feedback") you provide through the reporting process in the Program.
Safe Harbor
AMD agrees to provide commercially reasonable safe harbor and will not initiate a lawsuit or law enforcement investigations against Researchers who follow the Rules of Engagement and conduct research within the bounds of Ethical Hacking. Please note this waiver does not apply to security research that involves the networks, systems information, applications, devices, products or services of another party (i.e., any party other than AMD). AMD cannot and does not authorize security research on another party’s products or in the name of other entities or individuals. A gentle reminder that Ethical Hacking without permission from the owner may be illegal, even with the best intentions in mind.
Under the Program, AMD agrees to provide named acknowledgement on an AMD disclosure to the best of its ability.
- For example, AMD will only use the information provided by You in a Submission.
- Acknowledgements will include Your bug bounty platform username only, unless You request otherwise in Your Submission.
- If multiple collaborators should be acknowledged, ensure all users are included in the Submission.
- You may request to remain anonymous at any time prior to publication of a respective AMD disclosure.
- AMD will not edit the acknowledged name unless it is proven to be inaccurate.
- Additional limits may apply.
Bug Bounty Reporting
Please review the Security Researcher and Submission Eligibility Criteria below for the AMD Bug Bounty Program before providing a report (a “Submission”).
By submitting Your report, You agree to the Intigriti Code of Conduct, the Intigriti Researcher Terms and Conditions and the AMD Program Conditions documented herein. In the event the Program Conditions of the AMD Bug Bounty Program(s) conflict with the Intigriti T&Cs, the AMD Program Conditions shall prevail.
NOTE: AMD cannot and does not authorize security research on another party’s products or security research in the name of other entities or individuals.
AMD Security Researcher Eligibility Criteria – You agree to the following terms:
- You are at least 18 years old, and, if considered a minor in Your place of residence, You have Your parent’s or legal guardian’s permission prior to submitting a Submission.
- You are not a resident or national of a U.S. Government sanctioned or embargoed country.
- You are not on any U.S. Government list of sanctioned individuals.
- You are reporting in Your individual capacity or, if You are employed by a company or other entity and are reporting on behalf of Your employer, You have Your employer’s written approval to submit a Submission to AMD’s Bug Bounty Program.
- Within 6 months prior to submitting a report, You were:
- not an employee of AMD, or an AMD subsidiary.
- not under contract to AMD, or an AMD subsidiary.
- neither a family nor household member of any individual who currently meets or met the criteria listed in the two bullet points directly above.
- You agree to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of Your finding with AMD.
- You did not and will not access any personal information that is not Your own, including by exploiting the Vulnerability.
- You did not and will not violate any applicable law or regulation, including laws prohibiting unauthorized access to information.
- AMD does not consider testing that is done in compliance with the terms and conditions of this Bug Bounty Program as unauthorized.
- There may be additional restrictions on your eligibility to participate in the Bug Bounty Program depending upon your local laws and it is your responsibility to comply with any such applicable local laws.
Eligibility Requirements for Submissions:
Your Submission must include the information listed below (if any piece of information below is missing, Your Submission may be rejected):
- The name(s) of the AMD product and/or technology and the respective version information.
- You must provide the AMD product and/or technology must be identified and must be an in scope product at the time of Your Submission.
- The Vulnerability You identify must be original, one that has not been previously reported to AMD, nor publicly disclosed at the time of Your submission.
- Submission(s) must demonstrate that the potential Vulnerability has been proven against the most recent publicly available version of the product or technology.
- Detailed description of the potential security Vulnerability.
- Your Submission should explain how exploitation of the potential Vulnerability can negatively impact confidentiality, integrity, and/or availability of the affected product(s).
- Proof-of-concept that details how to reproduce the potential security Vulnerability.
Provide clear instructions, that if followed by an AMD product engineering team, clearly demonstrate successful exploitation of the reported issued on an impacted AMD product. The more details provided in the initial Submission, the easier it will be for AMD to evaluate Your information. If a potential security Vulnerability is not reproducible, Your Submission may be ineligible for a Bounty award.
Recommended Format for Submission Content:
- Overview: summary of the reported issues; statement of potential impact; name and specific version of the AMD product(s)/technology impacted.
- Details: detailed explanation of the reported issue; how it can be exploited; how exploiting it may negatively impact confidentiality, availability, and/or integrity of the affected products; likelihood of a successful exploit.
- Proof-of-concept (POC): instructions that, if followed by AMD product engineering team, clearly demonstrate successful exploitation of the reported issue on an impact AMD product; information on how any POC code was developed and complied; code required to execute the POC; description of the development environment and operation system revisions; compiler name, version, options used to compile.
- Scoring: Your proposed CVSS score, CVSS vector, and justifications for the selections; identify the Common Weakness Enumeration (CWE).
Sensitive and Personal Information:
Never attempt to access anyone else's data or personal information including by exploiting a Vulnerability. Such activity is unauthorized. If during Your testing You interacted with or obtained access to data or personal information of others, You must:
Stop your testing immediately and cease any activity that involves the data or personal information, or the Vulnerability.
Do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
Alert AMD immediately and support our investigation and mitigation efforts.
** Failure to comply with any of the above will immediately disqualify any Submission from bounty award eligibility **
If you violate the Rules of Engagement, the following may occur:
- Your Submission may be deemed ineligible.
- Denial of any or all potential bounty awards.
- Temporary or permanent revocation of Security Researcher eligibility, and/or
- Removal from current engagements and/or prohibition from future engagement eligibility.
Under the Program, AMD agrees to provide named acknowledgement on an AMD disclosure to the best of its ability.
- For example, AMD will only use the information provided by You in a Submission.
- Acknowledgements will include Your bug bounty platform username only, unless You request otherwise in Your Submission.
- If multiple collaborators should be acknowledged, ensure all users are included in the Submission.
- You may request to remain anonymous at any time prior to publication of a respective AMD disclosure.
- AMD will not edit the acknowledged name unless it is proven to be inaccurate.
- Additional limits may apply.