Intel is promising up to $250,000 to security researchers who uncover new side-channel vulnerabilities in its processors, in the wake of the Meltdown and Spectre exploits that took advantage of such vulnerabilities.
Meltdown and Spectre have been at the top of the cloud computing and enterprise data center priority list ever since Intel and a group of tech companies disclosed that design flaws dating back 20 years could expose almost all the computers on the planet to so-called side-channel vulnerabilities. Intel and operating system vendors have released several patches to mitigate the effects of those vulnerabilities, but there’s little doubt sophisticated malicious hackers are racing to find new ways to take advantage of the design flaws.
In response, Intel is changing its bug bounty program from invitation-only to a public program, and offering up to $250,000 for researchers who report new side-channel vulnerabilities to the chip giant, it said in a blog post Wednesday. The company will also increase the amount it awards for the discovery (and confidential reporting) of general security vulnerabilities to $100,000.
“We believe these changes will enable us to more broadly engage the security research community, and provide better incentives for coordinated response and disclosure that help protect our customers and their data,” Intel’s Rick Echevarria, vice president and general manager of platform security, said in the blog post.
Bug bounties have emerged as a very popular way to find bugs in software and hardware. All tech products have bugs to some extent; after all, they were developed by people. Bounty programs, which give security researchers an incentive to report those bugs directly to the company responsible for the product instead of dumping the details of those vulnerabilities on the public internet, are now used by almost all major tech vendors.
In this particular case, side-channel vulnerabilities take a lot of expertise to exploit, which makes them more valuable than the average bug. The attacks are based finding a pattern in the hardware implementation of the software program you wish to exploit, such as the speculative-execution technique used in the Meltdown and Spectre vulnerabilities.
Until Intel and other chip makers design hardware that gets around these side-channel vulnerabilities, and end users cycle through their old hardware, this problem is going to be around for a long time.