Sophisticated Systems to Address Security Vulnerabilities
Intel follows robust incident response tactics that guide how we work with the industry on mitigation development and disclosure of security vulnerabilities.
PSIRT
PSIRT Mission:
The Intel Product Security Incident Response Team (PSIRT) works to minimize customer impact through the mitigation and public disclosure of security vulnerabilities that may affect Intel-shipped and supported products.
Minimizing Impact Through Vulnerability Mitigation and Disclosure
You can trust we’re always looking for vulnerabilities. When we find them or they’re reported to us, we act with integrity and transparency according to comprehensive, repeatable processes that aim to prioritize issues based on severity and impact, with handling done in three phases: Identify, mitigate, and disclose.
PSIRT receives potential vulnerabilities from internal or external vulnerability reporters and works within Intel to verify the reported information through two steps:
Intake
Intel PSIRT evaluates initial potential vulnerability information and requests additional details, as needed, to properly disposition the issue.
Triage
PSIRT works with product teams to evaluate and reproduce the report, and to understand the potential impacts to products.
- If a potential vulnerability can be reproduced, then the Intel PSIRT executes the remaining PSIRT process through public disclosure.
- If a vulnerability can’t be reproduced or it’s found not to affect an Intel product, then the Intel PSIRT relays this information to the vulnerability reporter and closes the case.
Intel aims to help protect the broader technology ecosystem by partnering with industry security researchers to share information about reported security vulnerabilities with our customers, competitors, and fellow technology vendors in a timely fashion. Following CVD practices, if Intel recognizes that another vendor’s product might be affected by a reported vulnerability, we coordinate with potentially affected vendors, relevant third-party coordinators, and/or vulnerability reporters, depending on the vulnerability report.
This association with industry vendors is seen as reciprocal. Intel asks that our partners follow a similar strategy to share reported vulnerabilities with the ecosystem.
Intel manages all sensitive information in a secure manner. Vulnerability information is shared on a strict need-to-know basis. The Intel PSIRT asks that external vulnerability reporters maintain the same level of confidentiality while working with us through the PSIRT process.
PSIRT finalizes severity and prioritization for vulnerabilities using metrics such as Common Vulnerability Scoring System (CVSS). Alongside severity and prioritization analysis, Intel works to evaluate strategies to mitigate the vulnerabilities and execute the determined strategy.
Severity and Prioritization Analysis
Intel uses the most up-to-date version of CVSS, an industry framework maintained by the Forum of Incident Response and Security Teams (FIRST). CVSS captures the intrinsic, technical characteristics of a vulnerability to determine its severity.
CVSS scores range from 0 (lowest severity) to 10.0 (most critical severity). CVSS is broken down into three metric groups – Base, Temporal, and Environmental. Intel only uses the Base Metrics to score vulnerabilities, which is referred to as the “Base Score.” Intel only publishes the CVSS Base Score at this time. CVSS uses the Severity Categories and Base Scores as shown below:
CVSS Severity Categories
CRITICAL
HIGH
MEDIUM
LOW
CVSS Base Score
9.0-10.0
7.0-8.9
4.0-6.9
0.0-3.9
Note: CVSS is not a risk calculation methodology. CVSS only captures a vulnerability severity rating, which could be used as an input to risk calculations. We encourage customers and users to evaluate the impact of a security vulnerability in their specific environments, as many factors determine a vulnerability response prioritization decision.
Mitigation Planning and Execution
Intel develops and implements a mitigation plan or solution to address the identified security vulnerability. Intel works diligently to identify mitigations in a timely manner. Response timelines vary based on the complexity of the issue, number of products affected, priority, and product release cycle (if applicable), among other factors.
PSIRT communicates the appropriate vulnerability information and any associated mitigations to our customers and the public following a tiered approach to disclosure. This allows partner organizations time to test, verify, and implement mitigations before coordinated public disclosure. PSIRT communicates the appropriate vulnerability information and any associated mitigations to our customers and the public following a tiered approach to disclosure. This allows partner organizations time to test, verify, and implement mitigations before coordinated public disclosure.
NDA Disclosure
Intel informs customers at appropriate times, based on the degree to which they’re involved in the mitigation of a security vulnerability. Partners that need to assist in the development of the mitigation are informed via NDA at the earliest appropriate time after Triage.
Public Disclosure
PSIRT publishes public vulnerability disclosures in the form of Security Advisories once the NDA disclosure is complete. PSIRT balances the need to provide actionable information with seeking to prevent attackers from operationalizing vulnerability information. The full list of Security Advisories can be found on the Intel Product Security Center.
Our Security Advisories contain the following information:
- A summary of the vulnerability
- Vulnerability details including CVE identifier and CVSS information (Base metrics only)
- Affected products and versions
- Recommendations for customers to include mitigation information or other actions required by the customer
- Acknowledgments to the vulnerability reporter or third-party coordinator (Intel acknowledges the reporter with their permission during public disclosure)
We are a CVE Numbering Authority (CNA) that assigns Intel CVEs for public vulnerability disclosure. Intel Security Advisories contain CVE, CVSS, and mitigation information for customer use.
PSIRT won’t provide additional vulnerability details beyond what is published in a Security Advisory to ensure appropriate data protection. When a Security Advisory requires further explanation, Intel works with ecosystem partners to generate a technical paper to give guidance, tips, and/or supplemental development information.
Learnings from these issues and feedback from the ecosystem will be incorporated into the next development cycle.
Disclosure Schedule
PSIRT publishes Security Advisories on the second Tuesday of the month. In some circumstances, Intel PSIRT may publish outside of this schedule based on a variety of factors.
Expert Insight: The Role of PSIRT
Lisa Bradley, PhD, Senior Director, Product & Application Security, Dell Technologies
Josh Dembling, Senior Director, Intel PSIRT
Bug Bounty: Collaborating with the Research Community
Product security is enhanced with more people looking. Our Bug Bounty Program encourages collaboration with the research community and incentivizes researchers to report vulnerabilities in Intel products. Through the Bug Bounty program, Intel invites researchers to test specific targets, submit vulnerabilities, and get paid for their work.
Since launching publicly in 2018, the Intel Bug Bounty program has worked with more than 350 researchers worldwide, paid out millions in bounties, and been an important source of the Common Vulnerabilities and Exposures (CVEs) Intel has addressed.
Eligibility
The program covers eligible Intel branded products and technologies maintained and distributed by Intel. For full details, see the full list of Intel® Bug Bounty Program Terms.
Process
Each security bug report is individually evaluated based on technical details to determine the severity and next steps.
- Assessment: PSIRT ensures that all requested information has been provided for Triage. See the Reporting a Vulnerability page for a list of required information.
- Triage: A team of Intel product engineers and security experts determines if a vulnerability is valid and an eligible Intel product or technology is impacted.
Vulnerability severity determination: PSIRT works with product security engineers and security experts to determine the severity and impact of a vulnerability.
Awards
Awards range from $500 up to $100,000, based on the quality of the report, the impact of a potential vulnerability, severity, delivery, and quality of a proof of concept, and type of vulnerability.
Reporting a Security Vulnerability
If you believe you’ve found a security vulnerability in an Intel product or solution, please submit reports through the current provider: Intigriti. You can also contact Intel directly.
A Community for Elite Hackers
Project Circuit Breaker brings together ethical hackers and security researchers. Those who accept the challenge can hunt bugs in the latest software and hardware products through virtual and live hacking events. The targets are difficult, but every bug hunted leads to more secure products.
Driving a Predictable Cadence of Product Updates
Platform firmware updates require coordination with a large ecosystem of partners, including independent BIOS vendors (IBVs), original device manufacturers (ODMs), original equipment manufacturers (OEMs), operating system and hypervisor vendors, and cloud service providers (CSPs).
Why Is It Important?
The Intel Platform Update process seeks to enhance our ecosystem partners’ ability to validate and release updates for their products on a timely and predictable cadence to end customers; this is a key part of supporting our products after launch.
How Do I Get These Updates?
In some cases, updates are delivered by the operating system and in others, customers would receive updates from their original equipment manufacturer (OEM). Follow this link for a list of support sites.
What It Includes
The Intel Platform Update consists of many phases from issue discovery, triage, mitigation strategy, validation, and delivery to customers. Click the following infographic for details.
Reducing Adversary Advantage: Coordinated Disclosure
Intel PSIRT policies, processes, and guidelines are designed to support and encourage the principles of Coordinated Vulnerability Disclosure (CVD), an industry-standard under which a vulnerability is publicly disclosed only after mitigations are available.
At times, the publication of a Security Advisory may require coordination and collaboration with industry groups, external security researchers, and/or business partners. We disclose information about security vulnerabilities to stakeholders who can best help us mitigate the vulnerabilities as quickly as possible. We may engage different stakeholders who can aid with one or more of the following:
- Analyze and test security vulnerability claims
- Identify needed mitigation and develop such mitigation
- Test and improve mitigation
- Deploy and communicate mitigation
The CVD process helps build a trusted foundation for computing through collaboration with researchers that allows companies to develop mitigations and share findings. The cumulative benefits are broader industry resilience to common weaknesses, more secure products, and heightened public awareness and confidence.
In addition to practicing inbound CVD and partnering with external security researchers, we coordinate outbound vulnerability disclosure with industry partners and external stakeholders when appropriate. The goal is that all affected parties are disclosing in unison for an optimal defensive position.
CERT Guide to Coordinated Vulnerability Disclosure
Embargo
The multiparty coordinated vulnerability disclosure model puts Intel in a position of balancing between upstream security researchers and industry partners that use Intel technologies. This balance requires trust. Intel is committed to maintaining third-party embargos (i.e., vendor, supplier, security researcher, and third-party coordinator).
In cases where vulnerability information is under embargo and Intel suspects a partner company may be affected by the vulnerability, Intel submits a request to the coordinating or reporting party to report the issue under embargo to partners.
Technical Guidance from Intel
Microarchitectural security is a priority for Intel. Intel is committed to supporting the software development ecosystem through:
- Transparency: We do our best to inform customers of microarchitectural issues affecting our products.
- Software guidance: We help software partners make informed decisions and update software as needed to mitigate relevant issues.
- Hardware: Where feasible, mitigations are supported by hardware, and speculation features can be limited or disabled.
- Research and education: We invest in fostering academic research and educating customers about microarchitectural security.
Intel’s commitment to transparency involves documenting the architectural and microarchitectural origins of security issues, and then developing, describing, and deploying mitigations in software and/or hardware for affected processors. This transparency allows researchers, industry experts, developers, and customers to understand the root cause, whether and how the issue affects their computing environment, and what actions they need to take to address it.
The Intel Developer Zone includes guidance on designing solutions with security in mind, including best practices for cryptography, software-based mitigations, and affected processors by vulnerability.
The Latest from Intel Security
The Intel Product Security Center has the latest security information including security advisories and notices with mitigations or workarounds for vulnerabilities identified.
Expert Insight
Intel Platform Update
Zimo Ma and Carl Schmidt discuss the Intel Platform Update.
Bug Bounty Program
Katie Noble and Chris Holt detail Intel Bug Bounty programs.
Project Circuit Breaker
Security Researcher Seperdad, on the Trusted Crossings event.
Long-Term Retention Lab
Intel realized a need to preserve platforms and their respective design collateral and create a system for teams to track and identify what’s being kept in various locations. By storing products and information about configurations, Intel scaled its engineers’ ability to analyze security and functional issues on supported products more efficiently while better enabling proactive research for the continuous improvement of products.
When the lab started, the main goal was to create a centralized location for storing hardware; this later expanded to retaining thousands of live platforms along with design, software, and documentation collateral. These systems are available to Intel engineers around the globe 24x7 and can be made ready for testing in a matter of minutes.
LTR Lab by the Numbers
- 5,500+ boards
- 100 platform families
- 35,000 silicon items in inventory for product support
Intel's Vivek Tiwari and Fawn Taylor talk about the implementation and operation of the Long-Term Retention Lab.
Leaders in the Security Community
Technology Standards
Intel leads and participates in industry consortia along with standard bodies shaping how technologies should be designed to meet security, privacy, and safety requirements. This engagement includes feature and mitigation requirements aligned to anticipated use cases, as well as the emerging threat landscape generated by our security research. Examples include:
- Trusted Computing Group (TCG)
- Confidential Computing Consortium (CCC)
- 3rd Generation Partnership Project (3GPP)
- National Institute of Standards and Technology (NIST)
- International Organization for Standardization (ISO)
General Product Design, Assurance & Risk Management Standards
As vulnerability research methods become more sophisticated, often targeting hardware, Intel is at the forefront of advanced secure-by-design practices, systemic mitigations, automated vulnerability scanning tools, and hardware security training, among other efforts. Examples in this area include:
- MITRE: Intel collaborated to extend existing community-driven software-oriented Common Weakness Enumeration (CWE) to include 75 hardware weaknesses and is involved in Common Vulnerabilities and Exposures (CVE) and Common Attack Pattern Enumeration and Classification (CAPEC).
- Forum of Incident Response and Security Teams (FIRST): Intel contributes to the Common Vulnerability Scoring System (CVSS) and helps lead the Product Security and Incident Response Team (PSIRT) special interest group where Intel employees coauthored the PSIRT Services Framework as a contribution to the global security community.
- Bug Bounty Community of Interest (COI): Intel contributes to the Bug Bounty COI, which is comprised of a group of subject matter experts with a deep interest in the Bug Bounty ecosystem.
Open Source
Open Source Software (OSS) has grown in prominence over the years and has become a key source of innovation and ideas for the industry. Intel has been a contributor to OSS for over 20 years, both within our product portfolio and in critical upstream ecosystems. Intel participates at all levels of the software stack, including:
- Integrated OS and application frameworks
- Cloud, edge, and data center projects
- Browsers and Web-Runtimes
- Machine Learning and AI
- Networking, storage, and databases
- Graphics and media
- Virtualization
- Kernel/OS
- Firmware
- Tools and SDKs
20 years
Intel had invested in hundreds of open source projects over the last 20 years
$250M
In the last 5 years, Intel has invested $250 million in open source security
#1
Intel is the number one corporate contributor to the Linux Kernal
20 years
Intel had invested in hundreds of open source projects over the last 20 years
$250M
In the last 5 years, Intel has invested $250 million in open source security
#1
Intel is the number one corporate contributor to the Linux Kernal
Intel has been a founding member and major contributor to many of the core security-focused groups working to improve the whole open source ecosystem. Our work within these foundations allows us to have a broad positive impact for all stakeholders. While each group has a different focus and projects, they all aim to uplift the security of open source software for all producers and consumers.
Our work at the Open Source Security Foundation (OpenSSF) spans multiple efforts, and all focused on improving the security of how open source software is created, maintained, and delivered throughout software supply chains.
Our work in the Confidential Computing Consortium (CCC) is key to furthering security in cloud and computing that requires high degrees of assurance and security.
The Cloud Native Computing Foundation (CNCF) is focused on cloud, containers, and hyper-scaling workloads across multiple cloud-based networks.