News Posts matching #bounty

Return to Keyword Browsing

Intel Tried to Bribe Dutch University to Suppress Knowledge of MDS Vulnerability

Cybersecurity researchers at the Vrije Universiteit Amsterdam, also known as VU Amsterdam, allege that Intel tried to bribe them to suppress knowledge of the latest processor security vulnerability RIDL (rogue in-flight data load), which the company made public on May 14. Dutch publication Nieuwe Rotterdamsche Courant reports that Intel offered to pay the researchers a USD $40,000 "reward" to allegedly get them to downplay the severity of the vulnerability, and backed their offer with an additional $80,000. The team politely refused both offers.

Intel's security vulnerability bounty program is shrouded in CYA agreements designed to minimize Intel's losses from the discovery of a new vulnerability. Under its terms, once a discoverer accepts the bounty reward, they enter into a NDA (non-disclosure agreement) with Intel, to not disclose their findings or communicate in the regard with any other person or entity than with certain authorized people at Intel. With public knowledge withheld, Intel can work on mitigation and patches against the vulnerability. Intel argues that information of vulnerabilities becoming public before it's had a chance to address them would give the bad guys time to design and spread malware that exploits the vulnerability. This is an argument the people at VU weren't willing to buy, and thus Intel is forced to disclose RIDL even as microcode updates, software updates, and patched hardware are only beginning to come out.

Update: (17/05): An Intel spokesperson commented on this story.

Intel Expands Bug Bounty Program in Wake Of Spectre, Meltdown Flaws

(Editor's Note: This move by Intel aims to expand their bug-bounty program to specifically include side-channel attacks, such as those that can be leverage on the Spectre and Meltdown exploits. The company is also increasing the rewards it will give the researchers who find new flaws, a move that aims to employ the masses' knowledge and ingenuity to try and reach the hard-earned bonus at the end of the vulnerability - all while saving Intel much more money than it's paying to bug hunters.)

At Intel, we believe that working with security researchers is a crucial part of identifying and mitigating potential security issues in our products. Similar to other companies, one of the ways we've made this part of our operating model is through a bug bounty program. The Intel Bug Bounty Program was launched in March 2017 to incentivize security researchers to collaborate with us to find and report potential vulnerabilities. This, in turn, helps us strengthen the security of our products, while also enabling a responsible and coordinated disclosure process.

Microsoft Announces the Windows Bounty Program

While Microsoft has been offering bug bounty incentives since at least 2012, Google has arguably been much more vocal in its bug bounty programs. The company recently increased the maximum payout in its bug bounty programs (mainly focused on Android) to a staggering $200,000, and now Microsoft is not only following suit - it's upping the game.

With the Windows Bounty Program, which Microsoft announced yesterday, the company is looking towards an increased incentive to security-hardening suggestions from tech-savvy users. This program will extend to all features of the Windows Insider Preview in addition to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge. And incentives starting at $500 and going all the way up to $250,000 are very, very respectful.

Blizzard Pays Generous Bounty for Original Starcraft "Gold Master" Source CD

It's never fun to be contacted by a legal department and be told that something you bought online is not rightfully yours. Still, this occasionally does happen in the case of intellectual property that has been misplaced and is not supposed to be resold. Example: The case of Reddit user Khemist49, who found himself in possession of a CD-ROM claiming to be the original source code for the game "StarCraft." Where did he get said disc? A box of "old Blizzard-related stuff" he bought on Ebay in April. Thinking he had something special, he posted on Reddit asking what to do with it.
Return to Keyword Browsing