Intel has finally joined the bug bounty game with financial rewards on offer up to $30,000.
Intel and Microsoft have launched new bug bounty programs with thousands of dollars on offer for the most dangerous bugs.
Intel revealed the new bug bounty program will be hosted on HackerOne at the CanSecWest security conference on Wednesday. While old hat for companies including Microsoft, Facebook, and Google, the scheme is the first of its kind for the tech giant.
“We want to encourage researchers to identify issues and bring them to us directly so that we can take prompt steps to evaluate and correct them, and we want to recognize researchers for the work that they put in when researching vulnerability,” Intel said. “By partnering constructively with the security research community, we believe we will be better able to protect our customers.”
Intel says the “harder a vulnerability is to mitigate, the more we pay.”
As a consequence, critical bugs are the most lucrative, with $7,500 on offer for critical Intel software bugs, up to $10,000 for critical Intel firmware security flaws, and up to $30,000 for each critical Intel hardware bug disclosed to the company.
The Santa Clara, California-based firm uses the CVSS score generator to ascertain how dangerous a vulnerability can be. If a bug is deemed of “high” importance, up to $10,000 is up for grabs, while a “medium” severity bug can earn researchers up to $2,000.
In addition, “low” risk security flaws are worth up to $1,000.
Intel Security (McAfee), third-party products and Intel’s web presence are not part of the bug bounty program.
In addition, Microsoft also announced a new bug bounty program on Wednesday for the Microsoft Office Insider on Windows. The Redmond giant says it will offer researchers a minimum of $500 and maximum of $15,000 for vulnerability submissions which are discovered in the Microsoft Office Insider slow build shipping on the latest, fully patched version of the Windows 10 Desktop operating system.
The flaws must be zero-day vulnerabilities and the Microsoft team must be able to replicate the problem for a bug to qualify for a reward. The company will also consider rewarding researchers with more than $15,000 if the security flaw is something special.
The program will run until June 15.
Bug bounties can be lucrative, not only for researchers that can earn cash rewards for their findings but also for companies which can potentially save money otherwise spent on damage control — and money lost through a hit to reputation — if a zero-day vulnerability is exploited in the wild before it can be patched.
In 2016, on crowdsourced bug bounty platform HackerOne, rewards were on offer of up to $30,000 for the most severe flaws. Through the platform, Twitter has paid researchers a total of $561,980 for responsible disclosure, and other companies offer up to $50,000 for novel, dangerous bugs.
In related news, this week Microsoft said it was willing to pay researchers to play Minecraft. You can earn a prize of up to $20,000 by submitting projects designed around the Minecraft world which allow AI systems and human players to co-operate with each other.