It’s no secret that the whole Spectre and Meltdown situation has been a bit of a nightmare for Intel. In response to what is an ongoing PR disaster, the company is expanding its bug bounty program to more researchers while offering bigger rewards.
The program has been invitation-only since launching in March last year, meaning only a select few have been able to report potential vulnerabilities. Now, researchers with HackerOne accounts that meet eligibility requirements can inform Intel of bugs in its hardware, firmware, and software products, which covers CPUs, chipsets, FPGAs, SSDs, device drivers, and applications.
The other big change is that Intel has opened a new program for reporting side channel vulnerabilities like Spectre and Meltdown that are rooted in its hardware and exploitable through software.
Additionally, Intel is increasing its maximum bug bounty payout for side channel vulnerabilities. The higher the severity, the more money it will hand over. Anything with a maximum ‘critical’ rating of between 9.0 and 10.00 will net the finder $250,000. Meltdown and both variants of Spectre all have a CVSS severity ratings of 5.9.
“We believe these changes will enable us to more broadly engage the security research community, and provide better incentives for coordinated response and disclosure that help protect our customers and their data,” said Intel’s vice president and general manager of platform security, Rick Echevarria.
The side channel program runs up until December 31, 2018, though Intel did say the bug bounty program will continue to evolve.
Following its earnings report last month, Intel CEO Brian Krzanich said chips with changes that “directly address the Spectre and Meltdown threats in hardware” will begin appearing this year.