By participating in this program, you agree:

1. To follow the Intigriti Community Code of Conduct. See “Intigriti Community Code of Conduct.”
2. To follow the Intel Security Vulnerability Rearcher Community Code of Conduct. See Security Vulnerability Rearcher Community Code of Conduct
3. To follow the Intigriti Terms and Conditions. See “Intigriti Terms and Conditions.”
4. To follow the Rules of Engagement and scope of the program. See “Intel Bug Bounty Program Policy.”
5. You will not discuss or disclose vulnerability information with anyone not authorized by Intel without prior written consent from Intel (including PoC's on YouTube, Vimeo, etc). See Coordinated Vulnerability Disclosure.
6. You meet the eligibility criteria for this program. See “Security Researcher and Reporter Eligibility Criteria” section.
7. Your submission meets the eligibility requirements for this program. See “Report Eligibility Criteria” and “Product Eligibility Criteria” section.
8. You will not attempt to access anyone else's data or personal information, including by exploiting a vulnerability. See “Sensitive and Personal Information” section.
9. To have freely given Intel a perpetual license for all information and communications provided through the reporting process. See “Intellectual Property” section.

By participating in this program, Intel agrees:

1. To provide reasonable safe harbor to researchers following all Rules of Engagement. See “Safe Harbor” section.
2. To provide named acknowledgement on Intel disclosure(s) that include information provided during the reporting process. See “Intellectual Property” section.
3. To award monetary rewards for valuable security research. See “Bounties” section.
4. To use the current CVSS standard for severity scoring. See “Current Standards Used” section.
5. To follow CVE Numbering Authority Rules. See “Current Standards Used” section.

Violating these rules may result in, but is not limited to:

1. Revocation of Report eligibility,
2. Denial of any or all potential rewards,
3. Temporary or permanent revocation of Security Researcher and Reporter eligibility, and
4. Removal from current engagements and/or prohibition from future engagement eligibility.

Researcher/Reporter Agreements

Product Eligibility Criteria

Intel encourages the reporting of all potential vulnerabilities. Intel® branded products and technologies which are maintained and distributed by Intel are eligible for rewards from this program. This includes but may not be limited to the following categories.

• Processors
• Server Products
• Intel® NUC (Next Unit of Computing)
• Wireless
• Ethernet products
• Intel® FPGAs (Field Programmable Gate Array)
• Memory and Storage
• Chipsets
• Graphics

Hardware – Product specifications may be found on ARK. Processor support timeline may be found on this help page.
Firmware – Firmware may be found on the Download Center.
Software – Software may be found in a variety of places on the Intel website including Product Support Tools & Utilities, Development Tools, Developer Catalog, and Design-iN Tools Store.
Note: All testing resources must be obtained by participating security researchers.

Report Eligibility Criteria

Intel encourages you to submit any report for consideration. For the report to be eligible for bounty award consideration, your report must meet the following requirements:

1. The report and any accompanying material is first sent to Intel.
2. The Intel® product(s) in your report correspond to an item in the “Product Eligibility Criteria” section.
3. The vulnerability you identify must be original, not previously reported to Intel, and not publicly disclosed.
4. The report must show that the potential vulnerability has been demonstrated against a currently supported (often the most recent) and publicly available version of the affected product or technology.
5. The report must contain clear documentation that provides information required for the report to be processed.
   1. Minimum:
      1. Name and specific version of the Intel® product(s) the potential issue may impact
      2. How exploiting it may negatively impact confidentiality, availability, and/or integrity of the affected product(s)
      3. Instructions that, if followed by the Intel product engineering team, clearly demonstrate successful exploitation of the reported issue on an impacted Intel® platform
      4. Identify the reported Common Weakness Enumeration (CWE)
   2. Recommended Content:
      1. Overview
         1. An overview/summary of the reported issue
         2. Statement of potential impact
         3. Name and specific version of the Intel® product(s) the potential issue may impact
      2. Details
         1. Detailed explanation of the reported issue
         2. How it can be exploited
         3. How exploiting it may negatively impact confidentiality, availability, and/or integrity of the affected product(s)
         4. Likelihood of a successful exploit
      3. Proof of Concept (POC)
         1. Instructions that, if followed by the Intel product engineering team, clearly demonstrate successful exploitation of the reported issue on an impacted Intel® platform
         2. Information on how any POC code was developed and compiled
         3. Code required to execute the POC
         4. Description of the development environment and operating system revisions
         5. Compiler name, version, options used to compile
      4. Scoring
         1. Proposed CVSS score
         2. Proposed CVSS vector
         3. Justification for the selections (using the stated specification).
         4. Identify the reported Common Weakness Enumeration (CWE)
6. (PSIRT Direct Contact Only) The report was submitted to the Bug Bounty Program within the required period for eligibility: 60 days from notice to resubmit or the date of disclosure, whichever is shorter.

The more details provided in the initial report, the easier it will be for Intel to evaluate your report. Omitting Proof-of-Concept or Proof-of-Exploit(ability) from a report may result in the report being ineligible for a bounty or a delay in triage of the report.

Security Researcher and Reporter Eligibility Criteria

All criteria must be met to participate in the Bug Bounty Program.

1. You are reporting in your individual capacity or, if you are employed by a company or other entity and are reporting on behalf of your employer, you have your employer’s written approval to submit a report to the Intel® Bug Bounty Program.
2. You are at least 18 years of age, and, if considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to reporting.
3. You are not a resident of a U.S. (United States) Government embargoed country.
4. You are not on a U.S. Government list of sanctioned individuals.
5. You are not currently, nor have you been an employee of Intel Corporation, or an Intel subsidiary, within 6 months prior to submitting a report.
6. You are not currently, nor have you been under contract to Intel Corporation, or an Intel subsidiary, within 6 months prior to submitting a report.
7. You are neither a family nor household member of any individual who currently or within the past 6 months meets or met the criteria listed in the two bullet points directly above.
8. You agree to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of your finding with Intel.
9. You did not and will not access any personal information that is not your own, including by exploiting the vulnerability.
10. You did not and will not violate any applicable law or regulation, including laws prohibiting unauthorized access to information. To clarify, Intel does not view testing that is done in compliance with the terms and conditions of this Bug Bounty Program as unauthorized.
11. There may be additional restrictions on your eligibility to participate in the bug bounty depending upon your local laws.

If at any point while researching a vulnerability, you are unsure whether you should continue, immediately send a message to Intel PSIRT (secure@intel.com).

Sensitive and Personal Information

Never attempt to access anyone else's data or personal information, including by exploiting a vulnerability. Such activity is unauthorized. If during your research, testing, or communication with Intel you interacted with or obtained access to data or personal information of others, you must:

• Stop your testing immediately and cease any activity that involves the data or personal information or the vulnerability.
• Do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
• Alert Intel immediately and support our investigation and mitigation efforts.

Failure to comply with any of the above will immediately disqualify any report from bounty award eligibility.

Intel Agreements

Bounties

Bounty award arrangements under this program, including the timing, bounty amount and form of payments, are at Intel’s sole discretion and will be made case-by-case following the principle of One CVE = One Bounty.

Intel’s bug bounty awards range from $500 up to $100,000. We consider a range of factors when determining the award amount for eligible reports. Those factors include, but are not limited to, the quality of the report, impact of the potential vulnerability, type of vulnerability, CVSS severity score, whether a POC was provided and the quality of the POC (see “Report Eligibility Criteria” section). The table below is a general guide to the potential award amounts. However, the awards may vary based on the factors mentioned.

Intel, at its sole discretion, may reject any submission that we determine does not meet the “Security Researcher and Reporter Eligibility Criteria,” “Product Eligibility Criteria,“ or “Report Eligibility Criteria” sections or that are deemed as ineligible as set forth below.
Intel makes no representations regarding the tax consequences of the payments Intel makes under this program. Participants in this program are responsible for any tax liability associated with bounty award payments.

Current Standards in Use

• Common Vulnerability Scoring System (CVSS): Version 3.1
• CVE Numbering Authority Rules: Version 3.0

Safe Harbor

If you follow the program terms, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. Please understand that this waiver does not apply to your security research that involves the networks, systems, information, applications, devices, products, or services of another party (which is not Intel). We cannot and do not authorize security research in the name of other entities.

Shared Agreements

Intellectual Property

By submitting your content to Intel (your “Submission”), you agree that Intel may take all steps needed to validate, mitigate, and disclose the vulnerability, and that you grant Intel all rights to your Submission needed to do so.

Intel will, to the best of its ability, offer named acknowledgement on any Intel publications which include information provided through the reporting process. For Submissions with multiple collaborators, please ensure all users are included on the report at the time of submission to ensure acknowledgement.

Acknowledgements will utilize the bug bounty platform username only, unless otherwise requested at the time of submission, or anonymity if requested before publication occurs. Limits may apply. Intel will not edit the acknowledged name unless it can be proven to be inaccurate.

See "Product Eligibility Criteria" and "Report Eligibility Criteria" sections.

Common Scope Edge Cases

Some products may use the Intel® Bug Bounty Program to process external security research submissions through the Intel PSIRT program. These examples are intended as a guideline but may not be complete. Reports in these categories are not eligible for monetary rewards by default.

End of Life Products

Products which have reached an End of Life (EOL), or End of Service (EOS) status fall out of Scope for bounty rewards, however we request that you report any vulnerabilities to PSIRT for disposition.

Open-Source Projects

Open-source projects fall out of Scope for bounty rewards. Please contact the open-source project maintainer directly.
Some open-source projects maintained by Intel request vulnerabilities be submitted to Intel PSIRT. For these projects you may submit a report through the Intel® Bug Bounty Program; these reports will not be eligible for rewards. See the project-specific Security.md file for details.
Open-source projects that are solely maintained by Intel are in Scope and vulnerabilities should be submitted to the Intel® Bug Bounty Program. See the project-specific Security.md file for details.

Intel’s Web Infrastructure, i.e.*.intel.com

Intel’s web infrastructure, i.e., website domains owned and/or operated by Intel, fall out of Scope for bounty rewards. For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.
Any submissions to the Intel® Bug Bounty Program in this category will be forwarded internally to the appropriate team.

Recent Acquisitions

Recent acquisitions by Intel are out of Scope for the Bug Bounty program for at least 6 months after the acquisition is complete. Products may only be eligible for inclusion if Intel PSIRT supports that product. Other products and companies acquired by Intel which have not yet been branded with Intel trademarks may not be eligible for bounty rewards. If you have a security vulnerability in a product or company acquired by Intel, please send your report to the Intel PSIRT team.

Third-Party Products

Third-party products that do or do not contain Intel® branded products or technology fall out of Scope for bounty rewards. However, if the issue is root-caused to an Intel® branded product or technology, please submit your report under the appropriate Product type above.

Out of Scope (Ineligible Reports)

Intel encourages the reporting of all potential vulnerabilities. For vulnerabilities out of scope for the Bug Bounty Program please refer to our Vulnerability Handling Guidelines.

General

Any conduct by a security researcher or reporter that appears to be unlawful, malicious, or criminal in nature will immediately disqualify any submission from the program. Do not engage in extortion. Vulnerabilities in products and technologies that do not meet “Product Eligibility Criteria,” are considered out of Scope.

Credentials

Username, password, account identifier, keys, certificates, or other credentials that have been published, leaked, or exposed in some way should be reported to this program to ensure they can be properly investigated, cleaned up, and secured. Credentials are out of Scope for rewards.

Divestitures

Products of former Intel subsidiaries fall out of Scope. Please send vulnerability reports against those products to their respective product security team. This list is not complete but may be used as a guide:

• McAfee - https://www.mcafee.com/us/threat-center/product-security-bulletins.aspx
• Wind River - https://www.windriver.com/psirt-policy
• BlueZ - http://www.bluez.org/development/security-bugs/

Duplicate Reports

Vulnerabilities already known to Intel fall out of Scope and are not eligible for rewards. This includes both internally identified and externally reported vulnerabilities.

Intel Open/Prototyping Platforms

Intel products intended for prototyping use or that are “open” to provide customers with debugging capability are out of Scope for bounty rewards.

Open Chassis Physical Attacks

Submissions that require an attacker to physically open the case, including removing screws or breaking plastic casing (open chassis) to gain access to the internal hardware of a device are out of scope for bounty rewards.

Owner-Attacker & Physical Access Attacks

Valid submissions against firmware weaknesses requiring physical access or UEFI shell, are out of scope for bounty rewards.
Operating System access attacks such as Malicious Kernel are generally considered in scope. Weaknesses found in out-of-band management solutions such as BMC, CSME or similar are generally in scope for bounty rewards.

Pre-Release Products

Vulnerabilities in pre-release product versions (e.g., Beta, Release Candidate) fall out of Scope for bounty rewards.

See "Current Standards in Use" and "Bounties" sections.

Where can I find the Vulnerability Handling Guidelines?
Information can be found here

Is Intel's Web Infrastructure, i.e.*.intel.com inscope?
Intel’s web infrastructure, i.e., website domains owned and/or operated by Intel, fall out of Scope. Please send security vulnerability reports against intel.com and/or related web presence to external.security.research@intel.com

Where can I find the Intel PSIRT public key?
The Intel's PSIRT public key can be found here

Are Bounty payments always the same?
Eligibility for any bug bounty award and award amount determinations are made at Intel’s sole discretion. These are some general guidelines that may vary from published documentation:

1. Awards may be greater:
   1. based on the potential impact of the security vulnerability
   2. for well-written reports with complete reproduction instructions / proof-of-concept (PoC) material. See the eligible report requirements above.
   3. if a functional mitigation or fix is proposed along with the reported vulnerability.
2. Intel will award a bounty award for the first eligible report of a security vulnerability.
3. Awards are limited to one (1) bounty award per eligible root-cause vulnerability.
4. Intel will award a bounty depending on the vulnerability type and originality, quality, and content of the report.
5. Intel will recognize awarded security researchers via Intel Security Advisories at or after the time of public disclosure of the vulnerability, in coordination with the security researcher who reported the vulnerability.
6. Award amounts may change with time. Past rewards do not necessarily guarantee the same reward in the future.

When will a bounty be awarded? What is the schedule for payment?
Each bug bounty report is individually evaluated based on the technical details provided in the report. Intel follows the processes below to evaluate and determine the severity of a reported potential security vulnerability.

• Vulnerability Assessment – Intel PSIRT ensures that all requested information has been provided for Triage. See the Bug Bounty Reporting section above for a list of required information.
• Triage - A team of Intel product engineers and security experts will determine if a vulnerability is valid, and an eligible Intel product or technology is impacted.
• Vulnerability severity determination – Intel PSIRT works with the Intel product security engineers and Intel security experts to determine the severity and impact of a vulnerability.

Can I earn rewards for a report if I was not the first to report it?
In most cases, no. See “Report Eligibility Criteria” section for the policy statement. To earn a reward, you must be the first person to submit the vulnerability information to Intel. If your report has been flagged as a duplicate (non-original) we will do our best to provide information to you about the original submission to indicate when and how it was submitted. This may include a CVE number, Intel Security Advisory number, ticket identifier and/or date of the original submission.

Will I be acknowledged for Open-Source Software vulnerabilities?
See the “Intellectual Property” section. Intel will provide acknowledgment to the original researcher/reporter for any Submission which reaches a coordinated disclosure status. This includes only reports that have been accepted by Intel PSIRT.

I sent a vulnerability in an email (PSIRT Direct Contact) before sending it through the Bug Bounty Program. Can I earn a Bounty for it?
In most cases, yes. Rewards can ONLY be offered through the Intel Bug Bounty Program, and NOT through PSIRT Direct Contact. When using the direct contact method, PSIRT will remind you that if you wish to be eligible for a bounty you MUST use the Bug Bounty Program to submit the vulnerability. A time limit will apply to all submissions that request to be transferred. See “Report Eligibility Criteria” section for more details.