Intel, Microsoft Announce New Bug Bounties

Intel and Microsoft announced bug bounties, paying $30,000 and $15,000 respectively for critical vulnerabilities.

Intel announced its first bug bounty program, offering up to $30,000 to researchers who find critical vulnerabilities in its hardware.

The invite-only program, which is being run on the HackerOne platform, was announced today at the CanSecWest conference in Vancouver.

Intel said its software, firmware and hardware are in scope for rewards, with critical software and firmware finds being worth $7,500 and $10,000 respectively.

“We want to encourage researchers to identify issues and bring them to us directly so that we can take prompt steps to evaluate and correct them, and we want to recognize researchers for the work that they put in when researching a vulnerability,” Intel said. “By partnering constructively with the security research community, we believe we will be better able to protect our customers.”

Intel announced further pricing for its bounty: up to $10,000 for high-severity hardware bugs, up to $2,000 for medium-severity issues and up to $1,000 for low severity.

High-severity firmware bugs could be worth up to $5,000 while high-severity software flaws could fetch up to $2,500.

Intel said that its Intel Security products, the former McAfee, are not in scope for a bounty, nor are Intel’s web infrastructure, or recent acquisitions.

Microsoft also announced today that it was launching a bug bounty for its Office Insider Builds on Windows.

Insider Builds, Microsoft said, provides users with early access to new Office capabilities and security features. Microsoft said it hopes researchers will test early Office builds for vulnerabilities before they drop into production.

Microsoft said it would pay up to $15,000 for high-severity elevation of privilege vulnerabilities via Office Protected View and for macro execution vulnerabilities that bypass security policies already in place that block macros by default. Other high-severity bugs that enable code execution that bypass Outlook’s attachment block policies will be worth up to $9,000.

The program opens today and will run for three months until June 15.

“The Office Bug Bounty Program complements our continuous internal engineering investments that include designing secure features through threat modeling, security in code reviews, security automation, and internal penetration testing,” Microsoft said.

Suggested articles

Hey Alexa, Who Am I Messaging?

Research shows that microphones on digital assistants are sensitive enough to record what someone is typing on a smartphone to steal PINs and other sensitive info.