Sensitive and Personal Information
Never attempt to access anyone else's data or personal information including by exploiting a vulnerability. Such activity is unauthorized. If during your testing you interacted with or obtained access to data or personal information of others, you must:
- Stop your testing immediately and cease any activity that involves the data or personal information or the vulnerability.
- Do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
- Alert Intel immediately and support our investigation and mitigation efforts.
Failure to comply with any of the above will immediately disqualify any report from bounty award eligibility.
Third-Party Products
Third-party products that do or do not contain Intel-branded products or technology fall out of Scope. However, if the issue is root-caused to an Intel-branded product or technology, please submit your report under the appropriate Scope type above.
Intel-Maintained Open Source Projects
Intel-Maintained open source software projects fall out of Scope. Please contact the open source project maintainer directly.
Intel Open/Prototyping Platforms
Intel products intended for prototyping use or that are “open” in order to provide customers with debugging capability are out of Scope.
Intel Freeware Applications
Intel freeware applications are out of Scope. However, if you have a security vulnerability in an Intel freeware application, please send your report to the Intel Product Security Response Team (PSIRT) at secure@intel.com. Please remember to encrypt your report using the Intel PSIRT public key, which can be found at https://security-center.intel.com
McAfee Products
Products of former Intel subsidiary McAfee fall out of Scope. Please send vulnerability reports against McAfee products to the McAfee product security team. For more information, visit https://www.mcafee.com/us/threat-center/product-security-bulletins.aspx
Recent Acquisitions
Recent acquisitions by Intel are out of Scope for the Bug Bounty program for a minimum period of 6 months after the acquisition is complete. If you have a security vulnerability in a product recently acquired by Intel, please send your report to the Intel Product Security Response Team (PSIRT) at secure@intel.com. Please remember to encrypt your report using the Intel PSIRT public key, which can be found at https://security-center.intel.com
Intel's Web Infrastructure, i.e.*.intel.com
Intel’s web infrastructure, i.e., website domains owned and/or operated by Intel, fall out of Scope. Please send security vulnerability reports against intel.com and/or related web presence to external.security.research@intel.com
Open Chassis Physical Attacks
Submissions that require an attacker to physically open the case, including removing screws or breaking plastic casing (open chassis) to gain access to the internal hardware of a device are out of scope.
The following are general categories of vulnerabilities that are considered ineligible for a bounty award:
- Submissions that require an attacker to physically open the case, including removing screws or breaking plastic casing (open chassis) to gain access to the internal hardware of a device.
- Vulnerabilities in pre-release product versions (e.g., Beta, Release Candidate).
- Vulnerabilities in product versions no longer under active support.
- Vulnerabilities already known to Intel. However, if you are the first external security researcher to identify and report a previously known vulnerability, you may still be eligible for a bounty award.
- Vulnerabilities present in any component of an Intel product where the root-cause vulnerability in the component has already been identified for another Intel product.
- Vulnerabilities in products and technologies that are not listed as “Eligible Intel branded products and technologies”, including vulnerabilities considered out of scope as defined below.
Any conduct by a security researcher or reporter that appears to be unlawful, malicious, or criminal in nature will immediately disqualify any submission from the program. Do not engage in extortion.
Specific Examples of Out of Scope Findings
- Intel’s web infrastructure, i.e., website domains owned and/or operated by Intel, are out of scope. Please send security vulnerability reports against intel.com and/or related web presence to external.security.research@intel.com.
- Intel products intended for prototyping use or that are “open” in order to provide customers with debugging capability are out of scope.
- Intel freeware applications are out of scope.
- Intel-Maintained open source software projects fall out of scope. Please contact the open source project maintainer directly.
- Products of former Intel subsidiaries, such as McAfee and Wind River, are out of scope.
In Scope eligible products and technologies are listed above, if you are unsure whether a product or technology is eligible, contact Intel PSIRT at secure@intel.com. Intel encourages the reporting of all potential vulnerabilities. For vulnerabilities that are out of scope for the Bug Bounty Program please refer to our Vulnerability Handling Guidelines.
Intel reserves the right to alter the terms and conditions of this program at its sole discretion.