Intel Expands Bug Bounty Program – Techstrong TV

Intel is expanding its Bug Bounty program with Project Circuit Breaker, bringing together a community of elite hackers to hunt bugs in firmware, hypervisors, GPUs, chipsets and more. Charlene O’Hanlon and Katie Noble discuss the first of these efforts and how Intel plans to take this initiative further. The video is below followed by a transcript of the conversation.

Charlene O’Hanlon: Hey, everybody. Welcome back to Techstrong TV. I’m Charlene O’Hanlon. I’m here now with Katie Noble who is director of PSIRT. What is that? PSIRT? And Bug Bounty over at Intel. Katie, thanks so much for joining me today. Really do appreciate it.

Katie Noble: Yeah, hi. Thanks for having me.

Charlene O’Hanlon: No, no. No problem whatsoever. Glad to have you here. I’m really fascinated about what you guys are doing over at Intel with regards to your Bug Bounty program because it seems to be just going great guns there. So I wonder if you could kind of walk me through what your Bug Bounty program looks like right now and who you guys have involved in it.

Katie Noble: Yeah, so just to kind to give you a little bit of the background on it, Intel launched our Bug Bounty program in 2017 and at that time, it was a private program so by invite only. And then in 2018, we opened that program up to the public so it’s an open, continuous program.

And so it’s been an open, continuous program since 2018 And what that means is that anybody anywhere in the world can submit vulnerabilities to us and we will look at them. And then what we’ve done recently is we’ve launched a new expansion of our Bug Bounty program which is called the Project Circuit Breakers campaign. And what that aims to do is add on to our already open, continuous program by really getting in and meeting the researchers where they are.

Charlene O’Hanlon: Okay. So what does that involve, then? And how deep does it go?

Katie Noble: So it is a work in progress. What we are doing is by having the Project Circuit Breakers campaign, what we can do as we can host specific events, targeted events. We can really dive into training sessions and specific hack-a-thons and time boxed events. We can bring in researchers that we think show a really great aptitude for some of our products that we are working on and train them up a little bit, give them that unique opportunity to sit with some of our engineers and get some of that hands-on training that they may never have gotten before. So it’s really a wonderful opportunity to kind of really get in deep with the researcher community.

Charlene O’Hanlon: That’s really great. So how did you guys come up upon this particular idea because it seems like it’s – it really does take the Bug Bounty program one step further into actually kind of rather than saying okay, thanks for finding the bug. Here’s your check. Go away. You’re bringing these people into your fold and really kind of taking the relationship a level deeper.

Katie Noble: Yeah. So over the last couple of years, we are really trying to refine that security, kind of the commitment to security. And so we’ve said what can we do to change the way that we think about bounty programs? So a lot of companies have Bug Bounty programs and they are a wonderful extension of your vulnerability disclosure programs. But like you said, it’s kind of a submit anything, thanks for your submission and that’s really where it ends.

And we said okay. Well, Intel is very uniquely positioned within the industry right now but our products are a little bit different than what you may see in some other companies. And so we realize that that takes kind of a very special skill set and it doesn’t organically exist within the community. So we said what can we do to take that extra step because we realize it’s that question of do you build it or do you buy it? I’m not going to be able to find the solution on the shelf so I need to build it and how can I build it? And so we started deconstructing what we could do to take steps to really reach the researchers and this is kind of where we settled.

Charlene O’Hanlon: That’s great. That’s great. So you said it’s a work in progress. So how far along are you guys into this project and have you actually started onboarding any of the researchers?

Katie Noble: Yes, we have. In December we launched the Camping with Tigers live hacking event and so that event brings in 20 security researchers. It is focused on the Tiger Lake platform, so we gave them the device and we are giving them specific training on the device so every week they get a training session with some Intel engineers. We sit down with them and answer their questions. And we’re trying to focus it more of a rather than sort of an adversarial relationship, we want this to be a team. So there’s this very famous quote that “a rising tide raises all ships.” And so what we’re trying to do is say okay, through Camping with Tigers, we’re going to sit down with the security researchers, we’re going to give them that extra training. We’re going to answer their questions and we’re going to really meet them where they are. And it’s been wonderful so far. We’ve had some really great submissions. It started in December. It’s going to end in May. But so far it’s been really fantastic.

Charlene O’Hanlon: Excellent, excellent. So how many people do you actually have in the program right now?

Katie Noble: Yeah, so this first pilot, the Camping with Tigers pilot has 20 security researchers. We are going to have some more events coming in the next year or so but like I said, it’s a work in progress. We want to make sure that we are able to do that crawling before we run a marathon.

Charlene O’Hanlon: Yeah, yeah. That sounds great. And I imagine the researchers really enjoy it as well because it does give them access to your researchers and your developers and kind of helping them further the conversation. And yeah, to your point, the rising – I think it’s rising tide lifts all boats or something very similar to that. I can’t imagine that there are any downsides to actually bringing these security researchers into the Intel fold to have that idea exchange and that thought leadership just occur on a much more granular level.

So what has been the response so far from the industry, the security industry at large, regarding what Intel is doing, especially with the Project Circuit Breaker program?

Katie Noble: So I’ve seen a lot of positive responses. I’ve been contacted quite a bit in the social media world and then we’ve seen a lot of interest, we’ve seen a lot of researchers contacting us and saying hey, how do I participate in these events? And so that’s been really fantastic. We’ve also seen a lot of subject matter experts come to us and say how can I participate in these events? How can I give trainings? How can I help with show and tell sessions? And so it’s an opportunity for not only the security researchers but also some of our other, some developers, microcode engineers, to really be able to share that lessons learned. So I think that increased collaboration has been fantastic so far.

Charlene O’Hanlon: That’s really great to hear. And considering all of the issues that we been hearing about and experiencing over the last 12 months, particularly with software supply chain issues and just understanding that open source code and pretty much all code, basically, needs to be updated and secured from the start. I imagine that the timing is perfect for this type of program.

So what do you guys expect for the program moving forward? Do you expect to maybe I don’t know, double the size of researchers or the number of researchers who get involved in a particular camp or however you label your sessions? Or what is it that you guys see on the horizon for it?

Katie Noble: So we’re looking at this as a long-term kind of campaign. So we wanted to start small with a couple of pilot programs and then ultimately what we’d like to see is we like to start doing these events multiple times a year. We’d love to do a Capture the Flag exercises, immersion training exercises as well as the live hacking events. And so it’s hard to point out specifics and say I want to do two Capture the Flag exercises per year. But I really want to do want to do two Capture the Flag exercises per year. 

So we are trying to make sure, one of the big problems that we see is that the researcher community has a lot of attention right now and so we’re kind of sharing researchers with other companies, too. And so it’s making sure that we can keep the researcher community interested in our products and in our work. We go back to that rising tide raises all ships, right? It’s all about making the entire community better and safer and so we have to balance that as well.

Charlene O’Hanlon: Well, it really sounds like a great program and obviously very beneficial to the community at large. And so it seems like it would actually spur a lot of collaboration, future collaboration between the security researchers and their companies and Intel. So have you had any maybe inklings or conversations with folks yet about these possible future collaborations?

Katie Noble: Yes. So there is a group called the Bug Bounty Community of Interest and the Bug Bounty Community of Interest is about 40 different companies. They are Bug bounty managers. And so it’s focused on sharing information back and forth between some of these common challenges that we all experience within the community. And so when we were thinking about the launching the Project Circuit Breakers campaign, the Bug Bounty expansion, we actually circulated the idea with some other companies and we said what do you think about this? And the response has been pretty overwhelming and fantastic. So much so that we’ve talked about well, maybe we can do some coordinated events in the future as well. Not just Intel, not just Project Circuit Breakers but Project Circuit Breakers and maybe the Yahoo Paranoids program or the DoD Hack the Pentagon program.

And so looking at some of that cross communication has been really, really fantastic. I think it’s been well received so far. So I’m really excited.

Charlene O’Hanlon: Well, it sounds like a great endeavor, like I said. And it can only benefit the community at large because we all benefit when, except maybe the hackers but the good guys benefit when –

Katie Noble: The nefarious the hackers. The good guys.

Charlene O’Hanlon: Nefarious. They’ve got to be nefarious. But I wish you guys great luck with the program moving forward. It sounds like it’s going to be a rousing success and judging from the feedback that you’ve received so far, I know that the community is really in need of something like this. 

So Katie, thank you so much for taking a few minutes and talking to me about Project Circuit Breaker and your Bug Bounty program at large. It’s really, really good stuff. I do appreciate it.

Katie Noble: Yeah, thank you for having me.

Charlene O’Hanlon: All right, everybody. Please stick around. We got lots more Textron TV coming up. So stay tuned.

Avatar photo

Charlene O’Hanlon

Charlene O’Hanlon is Chief Operating Officer at Techstrong Group and Editor at Large at Techstrong Media. She is an award-winning journalist serving the technology sector for 20 years as content director, executive editor and managing editor for numerous technology-focused sites including DevOps.com, CRN, The VAR Guy, ACM Queue and Channel Partners. She is also a frequent speaker at industry events and conferences.

charlene has 55 posts and counting.See all posts by charlene