Bug Bounties, Vulnerability Management

Intel touts expanded focus on its bug bounty program for security assurance

The Intel logo hangs over the company’s stand at the 2016 CeBIT digital technology trade fair on March 14, 2016, in Hanover, Germany. Today’s columnist, Asmae Mhassni of Intel, offers nine principles driving zero-trust for microprocessors and silicon. (Photo by Sean Gallup/Getty Images)

Intel made two announcements this week that solidified the chip maker’s commitment to a strong bug bounty program.

On Thursday, Intel released its 2021 Product Security Report, which offers a “year-in-review” treatment of the security vulnerabilities and mitigations that Intel uncovered last year.

According to the new report, 93% of vulnerabilities Intel addressed were a direct result of its investment in product security assurance. Some 97 vulnerabilities were reported through Intel’s bug bounty program, which is 86% of the 113 vulnerabilities reported. And 77% of hardware/firmware vulnerabilities were found by Intel, an increase from 69% in 2020.

Also on the bug bounty front, on Wednesday Intel launched Project Circuit Breaker, which pulls together a community of elite hackers to hunt bugs in firmware, hypervisors, GPUs and chipsets. The new program will feature more training and opportunities for bounty hunters to spend more time with Intel engineers.

Intel has been and continues to be very aggressive with its bug bounty program, although the vast majority of bugs are self-reported, said Frank Dickson, program vice president for security and trust at IDC.

“It’s part of Intel’s initiative to lead semiconductor vendors in proactive resiliency in silicon compute platforms as Intel views transparency as foundation of trust,” Dickson said. “Ironically, Intel’s stance on vulnerability discovery, disclosure and bug bounty program is more the exception than the rule in the industry. It's hard to imagine that other silicon vendors won’t be pressured to follow suit.”

Jon Oltsik, senior principal analyst and ESG fellow, added that Intel has demonstrated it has a very mature software development process and that security is tightly integrated. 

“The fact that they are catching the vulnerabilities themselves while also supporting a bug bounty program is a ‘belts and suspender’ holistic approach,” Oltsik said. “Intel is also conscientious about metrics and seems like they are striving for continuous improvement. All signs of a diligent and mature security program.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.