Intel is a sponsor of TechSpective
Vulnerabilities are a fact of life. Organizations and developers strive to develop secure code, but the reality is that there is no such thing as perfect when it comes to either coding applications or security. The focus should be on streamlining discovery of vulnerabilities so they can be patched or mitigated as efficiently and effectively as possible. It helps to have extra eyes and an outside perspective as well, which is why Intel has invested in developing a bug bounty program and establishing a community of external security researchers to enhance those efforts.
Elevating Vulnerability Research
External or third-party researchers can play a vital role in vulnerability management efforts. The creator of the code often sees things through the lens of what they meant for it to be, as well as through the filter of the code being used as intended. The broader community helps ensure that there is no inadvertent bias and provides unique perspective that is invaluable for identifying obscure issues.
The bug bounty program is a relatively new effort. Intel had launched the program on an invitation-only basis in March of 2017 but opened the program to the general public in 2018 in the wake of the Spectre and Meltdown revelations. Software security research was relatively common, but Intel wanted to bolster and incentivize research into its hardware as well.
The 2019 Product Security Report reveals that more 90% of the vulnerabilities addressed were a direct result of Intel’s investment in ongoing product assurance. Intel finds a significant number of vulnerabilities through its own internal efforts, but this investment also includes Intel’s bug bounty program and its relationship with the larger security researcher community.
Building Respect in the Community
I had an opportunity to speak with Daniel Gruss—one of the security researchers who works with Intel to identify and resolve bugs. Gruss is an assistant professor at a university in Austria—supervising a team of students and digging into the inner workings of processors to find vulnerabilities.
Gruss shared that he has always been interested in how processors work—especially when it comes to the tradeoffs and the balance between optimizing performance and creating security problems. He began his PhD studies in 2014 to understand processors and security problems inherent in processors.
Gruss told me that Intel was somewhat challenging to work with in 2016 and early 2017. With the public launch of the Intel bug bounty program, however, Gruss says that those issues have faded, and that Intel now handles vulnerability disclosure professionally.
Collaborating for a More Secure Future
Bryan Jorgensen, VP in the Product Assurance and Security Group at Intel, is deeply invested in ongoing vulnerability research on Intel products—both internally and through their bug bounty program. He explained to me that the objective is not just to identify and address vulnerabilities in existing products, but to learn from them and to take steps that help avoid similar issues in future products.
Intel recognized that an increased emphasis on hardware in recent years has driven a need for better communication and collaboration. He and his team are dedicated to working with partners and vendors to facilitate coordination between multiple parties to discover and resolve vulnerabilities as effectively as possible.
When it comes to building community with external security researchers, as well as establishing trust with customers, the key is transparency. Jorgensen stressed the need for Intel to demonstrate integrity. He told me that his team constantly seeks to improve how they work with security researchers, improve communication, and continue to provide incentive for them to work with Intel to make more secure products.
Security research sometimes falls into a legal or ethical gray area, and Intel understands that as well. They updated the bug bounty terms to include Safe Harbor language to protect researchers from prosecution for research that might otherwise run afoul of existing laws.
Intel is committed to creating a more secure future—one hopefully built with Intel hardware at the foundation. Intel is leading the way by working with external researchers and collaborating with the broader tech industry. The efforts and investment from Intel to build processes and build a community to identify and resolve potential vulnerabilities is the foundation of that commitment and will make security a differentiator for the company.