By participating in this program, you agree:
- To follow the Intigriti Community Code of Conduct. See “Intigriti Community Code of Conduct.”
- To follow the Intel Security Vulnerability Rearcher Community Code of Conduct. See Security Vulnerability Rearcher Community Code of Conduct
- To follow the Intigriti Terms and Conditions. See “Intigriti Terms and Conditions.”
- To follow the Rules of Engagement and scope of the program. See “Intel Bug Bounty Program Policy.”
- You will not discuss or disclose vulnerability information with anyone not authorized by Intel without prior written consent from Intel (including PoC's on YouTube, Vimeo, etc). See Coordinated Vulnerability Disclosure.
- You meet the eligibility criteria for this program. See “Security Researcher and Reporter Eligibility Criteria” section.
- Your submission meets the eligibility requirements for this program. See “Report Eligibility Criteria” and “Product Eligibility Criteria” section.
- You will not attempt to access anyone else's data or personal information, including by exploiting a vulnerability. See “Sensitive and Personal Information” section.
- To have freely given Intel a perpetual license for all information and communications provided through the reporting process. See “Intellectual Property” section.
By participating in this program, Intel agrees:
- To provide reasonable safe harbor to researchers following all Rules of Engagement. See “Safe Harbor” section.
- To provide named acknowledgement on Intel disclosure(s) that include information provided during the reporting process. See “Intellectual Property” section.
- To award monetary rewards for valuable security research. See “Bounties” section.
- To use the current CVSS standard for severity scoring. See “Current Standards Used” section.
- To follow CVE Numbering Authority Rules. See “Current Standards Used” section.
Violating these rules may result in, but is not limited to:
- Revocation of Report eligibility,
- Denial of any or all potential rewards,
- Temporary or permanent revocation of Security Researcher and Reporter eligibility, and
- Removal from current engagements and/or prohibition from future engagement eligibility.
Researcher/Reporter Agreements
Product Eligibility Criteria
Intel encourages the reporting of all potential vulnerabilities. Intel® branded products and technologies which are maintained and distributed by Intel are eligible for rewards from this program. This includes but may not be limited to the following categories.
- Processors
- Server Products
- Intel® NUC (Next Unit of Computing)
- Wireless
- Ethernet products
- Intel® FPGAs (Field Programmable Gate Array)
- Memory and Storage
- Chipsets
- Graphics
Hardware – Product specifications may be found on ARK. Processor support timeline may be found on this help page.
Firmware – Firmware may be found on the Download Center.
Software – Software may be found in a variety of places on the Intel website including Product Support Tools & Utilities, Development Tools, Developer Catalog, and Design-iN Tools Store.
Note: All testing resources must be obtained by participating security researchers.
Note: The Discontinued Products support page can be a useful list for identifying products that are not eligible for this program.
Report Eligibility Criteria
Intel encourages you to submit any report for consideration. For the report to be eligible for bounty award consideration, your report must meet the following requirements:
- The report and any accompanying material is first sent to Intel.
- The Intel® product(s) in your report correspond to an item in the “Product Eligibility Criteria” section.
- The vulnerability you identify must be original, not previously reported to Intel, and not publicly disclosed.
- The report must show that the potential vulnerability has been demonstrated against a currently supported (often the most recent) and publicly available version of the affected product or technology.
- The report must contain clear documentation that provides information required for the report to be processed.
- Minimum:
- Name and specific version of the Intel® product(s) the potential issue may impact
- How exploiting it may negatively impact confidentiality, availability, and/or integrity of the affected product(s)
- Instructions that, if followed by the Intel product engineering team, clearly demonstrate successful exploitation of the reported issue on an impacted Intel® platform
- Identify the reported Common Weakness Enumeration (CWE)
- Recommended Content:
- Overview
- An overview/summary of the reported issue
- Statement of potential impact
- Name and specific version of the Intel® product(s) the potential issue may impact
- Details
- Detailed explanation of the reported issue
- How it can be exploited
- How exploiting it may negatively impact confidentiality, availability, and/or integrity of the affected product(s)
- Likelihood of a successful exploit
- Proof of Concept (POC)
- Instructions that, if followed by the Intel product engineering team, clearly demonstrate successful exploitation of the reported issue on an impacted Intel® platform
- Information on how any POC code was developed and compiled
- Code required to execute the POC
- Description of the development environment and operating system revisions
- Compiler name, version, options used to compile
- Scoring
- Proposed CVSS score
- Proposed CVSS vector
- Justification for the selections (using the stated specification).
- Identify the reported Common Weakness Enumeration (CWE)
- (PSIRT Direct Contact Only) The report was submitted to the Bug Bounty Program within the required period for eligibility: 60 days from notice to resubmit or the date of disclosure, whichever is shorter.
The more details provided in the initial report, the easier it will be for Intel to evaluate your report. Omitting Proof-of-Concept or Proof-of-Exploit(ability) from a report may result in the report being ineligible for a bounty or a delay in triage of the report.
Security Researcher and Reporter Eligibility Criteria
All criteria must be met to participate in the Bug Bounty Program.
- You are reporting in your individual capacity or, if you are employed by a company or other entity and are reporting on behalf of your employer, you have your employer’s written approval to submit a report to the Intel® Bug Bounty Program.
- You are at least 18 years of age, and, if considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to reporting.
- You are not a resident of a U.S. (United States) Government embargoed country.
- You are not on a U.S. Government list of sanctioned individuals.
- You are not currently, nor have you been an employee of Intel Corporation, or an Intel subsidiary, within 6 months prior to submitting a report.
- You are not currently, nor have you been under contract to Intel Corporation, or an Intel subsidiary, within 6 months prior to submitting a report.
- You are neither a family nor household member of any individual who currently or within the past 6 months meets or met the criteria listed in the two bullet points directly above.
- You agree to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of your finding with Intel.
- You did not and will not access any personal information that is not your own, including by exploiting the vulnerability.
- You did not and will not violate any applicable law or regulation, including laws prohibiting unauthorized access to information. To clarify, Intel does not view testing that is done in compliance with the terms and conditions of this Bug Bounty Program as unauthorized.
- There may be additional restrictions on your eligibility to participate in the bug bounty depending upon your local laws.
If at any point while researching a vulnerability, you are unsure whether you should continue, immediately send a message to Intel PSIRT (secure@intel.com).
Sensitive and Personal Information
Never attempt to access anyone else's data or personal information, including by exploiting a vulnerability. Such activity is unauthorized. If during your research, testing, or communication with Intel you interacted with or obtained access to data or personal information of others, you must:
- Stop your testing immediately and cease any activity that involves the data or personal information or the vulnerability.
- Do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
- Alert Intel immediately and support our investigation and mitigation efforts.
Failure to comply with any of the above will immediately disqualify any report from bounty award eligibility.
Intel Agreements
Bounties
Bounty award arrangements under this program, including the timing, bounty amount and form of payments, are at Intel’s sole discretion and will be made case-by-case following the principle of One CVE = One Bounty.
Intel’s bug bounty awards range from $500 up to $100,000. We consider a range of factors when determining the award amount for eligible reports. Those factors include, but are not limited to, the quality of the report, impact of the potential vulnerability, type of vulnerability, CVSS severity score, whether a POC was provided and the quality of the POC (see “Report Eligibility Criteria” section). The table below is a general guide to the potential award amounts. However, the awards may vary based on the factors mentioned.
Vulnerability Severity | CVSS Score Range | Intel Software | Intel Firmware | Intel Hardware |
Critical | 9.0 - 10.0 | Up to $10,000 | Up to $30,000 | Up to $100,000 |
High | 7.0 - 8.9 | Up to $5,000 | Up to $15,000 | Up to $30,000 |
Medium | 4.0 - 6.9 | Up to $1,500 | Up to $3,000 | Up to $5,000 |
Low | 0.1 - 3.9 | Up to $500 | Up to $1,000 | Up to $2,000 |
Intel, at its sole discretion, may reject any submission that we determine does not meet the “Security Researcher and Reporter Eligibility Criteria,” “Product Eligibility Criteria,“ or “Report Eligibility Criteria” sections or that are deemed as ineligible as set forth below.
Intel makes no representations regarding the tax consequences of the payments Intel makes under this program. Participants in this program are responsible for any tax liability associated with bounty award payments.
Current Standards in Use
Safe Harbor
If you follow the program terms, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. Please understand that this waiver does not apply to your security research that involves the networks, systems, information, applications, devices, products, or services of another party (which is not Intel). We cannot and do not authorize security research in the name of other entities.
Shared Agreements
Intellectual Property
By submitting your content to Intel (your “Submission”), you agree that Intel may take all steps needed to validate, mitigate, and disclose the vulnerability, and that you grant Intel all rights to your Submission needed to do so.
Intel will, to the best of its ability, offer named acknowledgement on any Intel publications which include information provided through the reporting process. For Submissions with multiple collaborators, please ensure all users are included on the report at the time of submission to ensure acknowledgement.
Acknowledgements will utilize the bug bounty platform username only, unless otherwise requested at the time of submission, or anonymity if requested before publication occurs. Limits may apply. Intel will not edit the acknowledged name unless it can be proven to be inaccurate.