Intel Puts Spotlight on Security, Expands Bug Bounty Program
Intel has put a focus on its broad security efforts that include an expanded bug bounty program and its annual report on the security of its products, which bolsters the work the giant chip maker does internally to imbed security into its development lifecycle and to ferret out vulnerabilities before the processors make it into systems.
The company launched its bug bounty program internally in 2017 and went public with it a year later. Last week Intel officials unveiled Project Circuit Breaker, a move to bring together a community of elite hackers to find vulnerabilities and flaws in a broad array of the vendor’s portfolio, from CPUs and GPUs to firmware, hypervisors and chipsets.
The program will include events designed to set the hackers loose on specific new platforms and technologies to find problems within the products. At the same time, there will be training and collaboration with Intel engineers. According to the company, the first event is underway, with 20 researchers going through systems powered by Intel’s Core i7 chips, codenamed “Tiger Lake.”
Expanding the Focus to Hardware, Firmware
Intel’s existing bug bounty program is primarily focused on software, so Project Circuit Breaker will put a focus on the hardware and firmware layers, according to Jerry Bryant, senior director of security communication and incident response at Intel.
“We’re investing in training external researchers and working with them throughout the bounty event process to help them understand how the platform is supposed to work so they can generate their ideas on how to attack it in ways that we may not have thought of or were not intended to as a component,” Bryant told The New Stack.
At the same time, Intel’s 2021 Product Security Report offered some insights into the company’s internal efforts around security, from its security development lifecycle (SDL) to the existing bug bounty program. According to the vendor’s numbers, Intel mitigated 226 product security issues in 2021. Of that, 93% were addressed due to the company investments, including 113 found internally and 97 via the bug bounty program.
That was a bump from the 91% found by Intel efforts in 2019, the first year of the report.
Bug Bounty Programs on the Rise
Bug bounty programs are increasingly popular as tech companies look to outside help to find flaws in their products. According to a report late last year from vulnerability program management firm HackerOne, there was a 34% increase in the total number of programs last year, with traditionally conservative verticals like financial services and government growing their adoption.
“Bug bounty programs are getting more and more common,” Katie Noble, director of product security incident response team and bug bounty at Intel, told The New Stack. “You’re seeing them in more and more places, but not everybody has one yet and it’s not necessarily appropriate for every company or vendor or agency or entity to have one. But it does provide an incentive to security researchers in a way that may help break down some barriers that exist.”
Bug bounty programs are natural extensions of vulnerability disclosure programs (VDPs), “which is if you see something, say something,” Noble said. “If a VDP is see something, say something, then a bug bounty program is an invitation and an incentive.”
There is growing acceptance of VDPs industry-wide and even government agencies like the Department of Homeland Security are adopting bug bounty programs.
“It’s a fantastic signal that vulnerability disclosure programs [and bug bounty] programs are the way of the future,” Noble said. “It was a natural time to expand the bug bounty program. We’ve taken the lessons learned and incorporated them into our processes, and we’re at a point now where we think the community is in a really good stage and it’s going to be well-received.”
Meta, Cloudflare Expand Initiatives
Recent examples of the growing embrace of bug bounty programs include Facebook parent company Meta in December expanding its program to enable researchers to focus on finding flaws that could enable hackers to engage in data scraping, where a program is used to take information from a website and put onto another computer.
Web security vendor Cloudflare this week announced it was launching a paid public bug bounty program, following on a VDP that came without cash bounties. In 2018, the company added a private bounty program.
“We believe bug bounties are a vital part of every security team’s toolbox and have been working hard on improving and expanding our private bug bounty program over the last few years,” Rushil Shah, product security engineer at Cloudflare, wrote in a blog post.
Intel has long been a proponent of hardware-based security, even going so far as to buy security software company McAfee for $7.7 billion in 2010 and renaming it Intel Security. Six years later, Intel spun out the security business, selling it to TGP Capital for $4.2 billion and creating a new company that brought back the McAfee name.
Spectre and Meltdown
Over the past several years, Intel has been more vocal about its security efforts. In 2018, Google’s Project Zero researchers disclosed critical flaws dubbed Spectre and Meltdown in modern processors, including those from Intel, AMD and IBM and others using the Arm architecture. The speculative execution security vulnerabilities opened up a vast number of PCs and cloud systems to so-called “side-channel” attacks that could enable threat actors to use malicious programs to seize data such as passwords, personal files, emails and business-critical documents stored in the memory of other programs.
“I wouldn’t say that was a wake-up call because Intel has been focusing on security for many, many years,” Bryant said. “But it was an opportunity to be more vocal and transparent about our approach to security because it was good. It made it clear that not a lot of people really understood the investments and the efforts that we put into this. That became a jumping-off point to where we have our own Security-First Pledge, which includes a commitment to transparency. We look for opportunities to communicate those things that we think are important.”
Transparency Is Key
That can be seen in Intel’s annual report, which was first put out a year after the Spectre and Meltdown disclosures. In it, the company outlines the cornerstone of the Security First Pledge, its SDL that covers from planning and assessment to security validation, the release of the product and the time after deployment.
It also talks about the growth of Intel’s bug bounty efforts. After going public with the program in 2018, Intel last year launched the Bug Bounty Bonus program for its Pentium, Celeron and Atom client processors, the first of what officials said will be several planned expansions of the program.
“Attackers are increasingly targeting hardware, as attacks at the hardware level can enable greater control to the attacker over software exploitation,” Intel officials wrote in the report. “Secure hardware provides a trusted foundation to protect data and empowers software to provide greater protection and functionality with a basis in hardware.”
That can be seen by a report last week from firmware protection company Binarly that found 23 flaws in Unified Extensible Firmware Interface (UEFI) from software maker Insyde that impacts a range of hardware makers, including Intel, AMD, Dell, Lenovo, Microsoft and Fujitsu. UEFI is a boot interface that bridges a device’s firmware and operating system. The flaws could enable threat actors to gain admin controls of exploited PCs.
The link between hardware and software is important, Bryant said. Among the industry partners Intel has are operating system and hypervisor vendors.
“A lot of times a hardware mitigation also comes with a software component that you know those vendors need to implement in their software to take advantage of the hardware component that we added,” he said. “From a developer perspective, we’re always looking at ways for organizations to have an option. We put in switches that can enable this or disable this if you don’t care about that particular type of issue or whatever the case may be.”