Description

Intel® Bug Bounty Program Security is a collaboration... Intel Corporation believes that forging relationships with security researchers and fostering security research is a crucial part of our Security First Pledge. We encourage security researchers to work with us to mitigate and coordinate the disclosure of potential security vulnerabilities.

Bounties
Low
Medium
High
Critical
Exceptional
Tier 1
$2,000
$5,000
$30,000
$100,000
$100,000
$2,000 - $100,000
Tier 2
$1,000
$3,000
$15,000
$30,000
$30,000
$1,000 - $30,000
Tier 3
$500
$1,500
$5,000
$10,000
$10,000
$500 - $10,000
Rules of engagement
Not applicable
Not applicable
Not applicable
Not applicable

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Bug Bounty Reporting
Please review these Bug Bounty Program Terms before submitting a report. By submitting your report, you agree to the terms of Intel’s Bug Bounty Program.

If you follow the program terms, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. Please understand that this waiver does not apply to your security research that involves the networks, systems, information, applications, devices, products, or services of another party (which is not Intel). We cannot and do not authorize security research in the name of other entities.

In the report please include the following information:

  • The name(s) of the Intel product or technology and the respective version information.
  • Detailed description of the potential security vulnerability.
  • Proof-of-concept that details the reproduction of the potential security vulnerability. The more details provided in the initial report, the easier it will be for Intel to evaluate your report.

Security Researcher and Reporter Eligibility Criteria - You agree to the following terms:

  • The Intel products in your report correspond to an item explicitly listed below as “Eligible Intel branded products and technologies”.
  • The vulnerability you identify must be original, not previously reported to Intel, and not publicly disclosed.
  • The report must show that the potential vulnerability has been demonstrated against the most recent publicly available version of the affected product or technology.
  • You are reporting in your individual capacity or, if you are employed by a company or other entity and are reporting on behalf of your employer, you have your employer’s written approval to submit a report to Intel’s Bug Bounty program.
  • You are at least 18 years of age, and, if considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to reporting.
  • You are not a resident of a U.S. Government embargoed country.
  • You are not on a U.S. Government list of sanctioned individuals.
  • You are not currently nor have been an employee of Intel Corporation, or an Intel subsidiary, within 6 months prior to submitting a report.
  • You are not currently nor have been under contract to Intel Corporation, or an Intel subsidiary, within 6 months prior to submitting a report.
  • You are neither a family nor household member of any individual who currently or within the past 6 months meets or met the criteria listed in the two bullet points directly above.
  • You agree to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of your finding with Intel.
  • You did not and will not access any personal information that is not your own, including by exploiting the vulnerability.
  • You did not and will not violate any applicable law or regulation, including laws prohibiting unauthorized access to information. To clarify, Intel does not view testing that is done in compliance with the terms and conditions of this bug bounty program as unauthorized.
  • There may be additional restrictions on your eligibility to participate in the bug bounty depending upon your local laws.

If at any point while researching a vulnerability, you are unsure whether you should continue, immediately send a message to Intel PSIRT (secure@intel.com).

Sensitive and Personal Information
Never attempt to access anyone else's data or personal information including by exploiting a vulnerability. Such activity is unauthorized. If during your testing you interacted with or obtained access to data or personal information of others, you must:

  • Stop your testing immediately and cease any activity that involves the data or personal information or the vulnerability.
  • Do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
  • Alert Intel immediately and support our investigation and mitigation efforts.
    Failure to comply with any of the above will immediately disqualify any report from bounty award eligibility.

Intellectual Property
By submitting your content to Intel (your “Submission”), you agree that Intel may take all steps needed to validate, mitigate, and disclose the vulnerability, and that you grant Intel any and all rights to your Submission needed to do so.

Domains

(Hardware) Processor (inclusive of micro-code ROM + updates)

Tier 1
Other

(Hardware) Chipset

Tier 1
Other

(Hardware) FPGA

Tier 1
Other

(Hardware) Motherboard / System (e.g., Intel Compute Stick, NUC)

Tier 1
Other

(Hardware) Networking / Communication

Tier 1
Other

(Hardware) Solid State Drive

Tier 1
Other

(Firmware) Motherboard / System (e.g., Intel Compute Stick)

Tier 2
Other

(Firmware) Baseboard Management Controller (BMC)

Tier 2
Other

(Firmware) Intel® Management Engine

Tier 2
Other

(Firmware) Solid State Drives

Tier 2
Other

(Firmware) UEFI BIOS (Tiano core components for which Intel is only named maintainer)

Tier 2
Other

(Software) Application

Tier 3
Other

(Software) Development Tool

Tier 3
Other

(Software) Device driver

Tier 3
Other
In scope

Eligible Intel branded products and technologies that are maintained and distributed by Intel:

  • Microprocessors (inclusive of micro-code ROM + updates)
  • Chipsets
  • Field Programmable Gate Array (FPGA) components
  • Networking / communication components
  • Memory
  • Motherboards / systems (e.g., Intel Compute Stick, NUC)
  • Solid State Drives (SSD)
  • UEFI BIOS (Tiano core components for which Intel is the only named maintainer)
  • Intel® Management Engine
  • Baseboard Management Controller (BMC)
  • Device drivers
  • Applications
  • Development tools

Intel encourages the reporting of all potential vulnerabilities. For vulnerabilities that are out of scope for the Bug Bounty Program please refer to our Vulnerability Handling Guidelines

Intel, at its sole discretion, may reject any submission that we determine does not meet these criteria above or that are deemed as ineligible as set forth below.

Out of scope

Sensitive and Personal Information
Never attempt to access anyone else's data or personal information including by exploiting a vulnerability. Such activity is unauthorized. If during your testing you interacted with or obtained access to data or personal information of others, you must:

  • Stop your testing immediately and cease any activity that involves the data or personal information or the vulnerability.
  • Do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
  • Alert Intel immediately and support our investigation and mitigation efforts.

Failure to comply with any of the above will immediately disqualify any report from bounty award eligibility.

Third-Party Products
Third-party products that do or do not contain Intel-branded products or technology fall out of Scope. However, if the issue is root-caused to an Intel-branded product or technology, please submit your report under the appropriate Scope type above.

Intel-Maintained Open Source Projects
Intel-Maintained open source software projects fall out of Scope. Please contact the open source project maintainer directly.

Intel Open/Prototyping Platforms
Intel products intended for prototyping use or that are “open” in order to provide customers with debugging capability are out of Scope.

Intel Freeware Applications
Intel freeware applications are out of Scope. However, if you have a security vulnerability in an Intel freeware application, please send your report to the Intel Product Security Response Team (PSIRT) at secure@intel.com. Please remember to encrypt your report using the Intel PSIRT public key, which can be found at https://security-center.intel.com

McAfee Products
Products of former Intel subsidiary McAfee fall out of Scope. Please send vulnerability reports against McAfee products to the McAfee product security team. For more information, visit https://www.mcafee.com/us/threat-center/product-security-bulletins.aspx

Recent Acquisitions
Recent acquisitions by Intel are out of Scope for the Bug Bounty program for a minimum period of 6 months after the acquisition is complete. If you have a security vulnerability in a product recently acquired by Intel, please send your report to the Intel Product Security Response Team (PSIRT) at secure@intel.com. Please remember to encrypt your report using the Intel PSIRT public key, which can be found at https://security-center.intel.com

Intel's Web Infrastructure, i.e.*.intel.com
Intel’s web infrastructure, i.e., website domains owned and/or operated by Intel, fall out of Scope. Please send security vulnerability reports against intel.com and/or related web presence to external.security.research@intel.com

Open Chassis Physical Attacks
Submissions that require an attacker to physically open the case, including removing screws or breaking plastic casing (open chassis) to gain access to the internal hardware of a device are out of scope.

The following are general categories of vulnerabilities that are considered ineligible for a bounty award:

  • Submissions that require an attacker to physically open the case, including removing screws or breaking plastic casing (open chassis) to gain access to the internal hardware of a device.
  • Vulnerabilities in pre-release product versions (e.g., Beta, Release Candidate).
  • Vulnerabilities in product versions no longer under active support.
  • Vulnerabilities already known to Intel. However, if you are the first external security researcher to identify and report a previously known vulnerability, you may still be eligible for a bounty award.
  • Vulnerabilities present in any component of an Intel product where the root-cause vulnerability in the component has already been identified for another Intel product.
  • Vulnerabilities in products and technologies that are not listed as “Eligible Intel branded products and technologies”, including vulnerabilities considered out of scope as defined below.

Any conduct by a security researcher or reporter that appears to be unlawful, malicious, or criminal in nature will immediately disqualify any submission from the program. Do not engage in extortion.

Specific Examples of Out of Scope Findings

  • Intel’s web infrastructure, i.e., website domains owned and/or operated by Intel, are out of scope. Please send security vulnerability reports against intel.com and/or related web presence to external.security.research@intel.com.
  • Intel products intended for prototyping use or that are “open” in order to provide customers with debugging capability are out of scope.
  • Intel freeware applications are out of scope.
  • Intel-Maintained open source software projects fall out of scope. Please contact the open source project maintainer directly.
  • Products of former Intel subsidiaries, such as McAfee and Wind River, are out of scope.

In Scope eligible products and technologies are listed above, if you are unsure whether a product or technology is eligible, contact Intel PSIRT at secure@intel.com. Intel encourages the reporting of all potential vulnerabilities. For vulnerabilities that are out of scope for the Bug Bounty Program please refer to our Vulnerability Handling Guidelines.

Intel reserves the right to alter the terms and conditions of this program at its sole discretion.

Severity assessment

Note: Intel uses the Intigriti platform to administer payments for the Intel Bug Bounty program.

Bounty Award Payment

Bounty award arrangements under this program, including but not limited to the timing, bounty amount and form of payments, are at Intel’s sole discretion and will be made on a case-by-case basis. These are some general guidelines that may vary from published documentation:

  • Awards may be greater:
  1. based on the potential impact of the security vulnerability
  2. for well-written reports with complete reproduction instructions / proof-of-concept (PoC) material. See the eligible report requirements above.
  3. if a functional mitigation or fix is proposed along with the reported vulnerability.
  • Intel will award a bounty award for the first eligible report of a security vulnerability.
  • Awards are limited to one (1) bounty award per eligible root-cause vulnerability.
  • Intel will award a bounty from $500 to $100,000 USD depending on the vulnerability type and originality, quality, and content of the report.
  • Intel will publicly recognize awarded security researchers via Intel Security Advisories at or after the time of public disclosure of the vulnerability, in coordination with the security researcher who reported the vulnerability.
  • Award amounts may change with time. Past rewards do not necessarily guarantee the same reward in the future.

Intel makes no representations regarding the tax consequences of the payments Intel makes under this program. Participants in this program are responsible for any tax liability associated with bounty award payments.

Bounty Award Schedule

Each bug bounty report is individually evaluated based on the technical details provided in the report. Intel generally follows the processes below to evaluate and determine the severity of a reported potential security vulnerability.

  • Vulnerability Assessment – Intel PSIRT ensures that all requested information has been provided for Triage. See the Bug Bounty Reporting section above for a list of required information.
  • Triage - A team of Intel product engineers and security experts will determine if a vulnerability is valid and an eligible Intel product or technology is impacted.
  • Vulnerability severity determination – Intel PSIRT works with the Intel product security engineers and Intel security experts to determine the severity and impact of a vulnerability.

Intel’s bug bounty awards range from $500 up to $100,000. We take into consideration a range of factors when determining the award amount for eligible reports. Those factors include, but are not limited to, the quality of the report, impact of the potential vulnerability, CVSS severity score, whether a POC was provided and the quality of the POC, type of vulnerability.
The bounty table is a general guide to the potential award amounts. However, the awards may vary based on the factors mentioned above.

Bug Bounty Bonus: Pentium®, Celeron®, and Intel Atom® Processors
Intel is announcing a new bonus incentive to our bug bounty program, focusing on firmware and hardware within Intel® Pentium®, Intel® Celeron®, and Intel Atom® processors (see below for full platform listing). This bonus incentive will be open to the public for a period of one year, May 11, 2021 - May 10, 2022 and will pay up to $150,000.00 for novel vulnerabilities (1.5x the normal maximum). Additionally, at the end of the one-year period, the top 10 submissions will be identified and recognized, and the top two researchers will be invited to speak (Virtually) at iSecCon (Intel’s internal security conference).

Bonus incentive open to the public –submissions must be received by 11:59pm PST on May 10, 2022 to be eligible for the bonus incentive. Submissions received after that date are not eligible for the bonus incentive but may be eligible under Intel’s standard bug bounty program.
Bonus incentive award payout will be multiplier ranging from 1.2-1.5 the standing Bug Bounty payment.

Vulnerability Severity Intel Bug Bounty Bonus Firmware Intel Bug Bounty Bonus Hardware
Exceptional Up to $45,000 Up to $150,000
Critical Up to $45,000 Up to $150,000
High Up to $21,000 Up to $42,000
Medium Up to $3,900 Up to $6,500
Low Up to $1,200 Up to $2,400

Please ensure you include "Bug Bounty Bonus" in the title of your report

End-of-Year Award Package:
Within 3 Months of the end of the one-year window:

  • Intel will select the top 10 research submissions and two researchers that will be invited to Intel iSecCon and potentially other speaking engagements.
  • Intel will notify via email participants that were selected and winners of the top 10 submissions.
  • Intel will issue a blog post outlining the top 10 research submissions received and crediting the researchers, if they consent to being publicly credited.
  • Intel will email the two researchers who will be invited to speak at Intel iSecCon and other speaking engagements.

Example Topics of Interest:

  • Escalation of Privilege
  • Information disclosure
  • Denial of Service
  • Temporary
  • Permanent
  • Ability to alter/modify/change security boundaries
FAQ

Where can I find the Vulnerability Handling Guidelines?
Information can be found here

Is Intel's Web Infrastructure, i.e.*.intel.com inscope?
Intel’s web infrastructure, i.e., website domains owned and/or operated by Intel, fall out of Scope. Please send security vulnerability reports against intel.com and/or related web presence to external.security.research@intel.com

Where can I find the Intel PSIRT public key?
The Intel's PSIRT public key can be found here

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Researchers
last contributors
logo
logo
logo
logo
logo
logo
leaderboard
logo
logo
logo
logo
logo
logo
Last 90 day response times
avg. time first response
< 5 days
avg. time to decide
+3 weeks
avg. time to triage
< 16 hours
Activity
5/16
logo
created a submission
5/15
logo
created a submission
5/15
logo
created a submission
5/14
logo
created a submission
5/13
logo
created a submission
5/13
logo
created a submission
5/12
Intel
accepted a submission
5/12
Intel
accepted a submission
5/12
logo
created a submission
5/11
logo
created a submission