Intel Expands its Bug Bounty Program, Says its CPUs are Safer than AMD’s
Intel Corp. is calling on “elite hackers” to join its newly expanded bug bounty program, dubbed Project Circuit Breaker. The new program will allow these individuals to work side-by-side with Intel engineers as they work to discover security flaws in the company’s CPUs, chipsets, drivers, and firmware. In announcing the new initiative the company also released a 2021 security report describing the types of vulnerabilities it discovered last year, the severity of them, and how many they discovered internally versus externally. Intel also compares itself with AMD in the report, noting that fewer security vulnerabilities were found in its processors compared to AMD.
Its Circuit Breaker program, which was flagged by Wccftech, is essentially an Olympics of hacking, as top hackers compete with each other to win prizes, climb the leader board, and pull off righteous hacks on Intel’s hardware and software. Intel says it will offer challengers months of training including Capture the Flag competitions, bounty multipliers up to 4x, and access to beta hardware and software. On the program’s landing page, Intel spells out what it’s looking for in terms of hacker qualities, and says it will be revealing more in the coming months about how to join the program.
Its 2021 Security Report is full of interesting data points. Intel goes to great lengths to point out its commitment to finding and fixing vulnerabilities whether it’s done in-house or through external researchers. It says the total number of Common Vulnerabilities and Exposures (CVE) that were found in 2021 was 226, with 50 percent of them discovered by Intel engineers. The following chart shows which platforms had the most CVEs.
Intel only lists two of the CVEs it discovered as “critical,” with 52 being “high,” 147 listed as “medium,” and 25 as low danger. You’ll no doubt note the unusually high number of vulnerabilities in GPUs, and you might think that’s from Intel’s very own GPUs, which are embedded in the CPU die. But alas, a lot of them are actually AMD’s fault. According to the report, “23 of the 37 vulnerabilities in the Graphics Processing Units category were in third party components, shipped as part of an Intel platform, which links to the CVE page describing the vulnerabilities found in AMD’s VegaM GL graphics chip. Back in 2017, Intel shipped Kaby Lake G, which was a platform featuring an Intel CPU with a separate Vega graphics die designed by AMD, backed by 4GB of HBM memory. This was back when Intel had only one plus sign after 14nm, and AMD was still using Global Foundries to make its GPUs.
On the CPU front, Intel says in 2021 it found just 16 CVEs in its CPUs, compared to 31 for AMD, thus its CPUs are safer. However, there is a caveat here, which is that Intel doesn’t have access to AMD’s internal security reports, so it’s only reporting what has been found by external research teams. Still, AMD’s number is obviously higher, so adding anything internally from AMD would just make the number go up.
Taken together, counting both CPUs and GPU CVEs, Intel lists itself as having more vulnerabilities than AMD, however. It says in its report it’s comparing itself to AMD because both companies offer these products, so it can be compared. In total, Intel rung up 67 CVEs in 2021 across both markets, with 16 on the CPU side and 51 on the GPU side. AMD is listed as being responsible for 58, broken up by 31 for its CPUs, and 27 for its GPUs.
Intel says nothing about how severe the AMD bugs were versus its own, only that there were more bugs found on AMD CPUs. Severity matters too, as far as evaluating the overall impact on a CPU or platform — but even severity is not enough. Some of the speculative execution bugs of the past few years have been flagged as top-level security problems, but no publicly known hacking group appears to be attempting to exploit Spectre-type speculative execution errors to exfiltrate data out of CPUs. In some cases a problem can be rated “Critical” but have little to no real-world impact due to the practical difficulty of taking advantage of it.