Intel Corp is calling on “elite hackers” to join its newly
expanded bug bounty program, dubbed Project Circuit Breaker. The new program
will allow these individuals to work side-by-side with Intel engineers as they
work to discover security flaws in the company’s CPUs, chipsets, drivers, and
firmware. In announcing the new initiative the company also released a 2021
security report describing the types of vulnerabilities it discovered last
year, the severity of them, and how many they discovered internally versus
externally. Intel also compares itself with AMD in the report, noting that
fewer security vulnerabilities were found in its processors compared to AMD.
Its Circuit Breaker program,
which was flagged by Wccftech, is essentially
an Olympics of hacking, as top hackers compete with each other to win prizes,
climb the leader board, and pull off righteous hacks on Intel’s hardware and
software. Intel says it will offer challenger’s months of training including capture
the Flag competitions, bounty multipliers up to 4x, and access to beta hardware
and software. On the program’s landing page, Intel spells out what it’s looking
for in terms of hacker qualities, and says it will be revealing more in the
coming months about how to join the program.
Its 2021 Security Report is full of interesting data points. Intel goes to great
lengths to point out its commitment to finding and fixing vulnerabilities
whether it’s done in-house or through external researchers. It says the total
number of Common Vulnerabilities and Exposures (CVE) that were found in
2021 was 226, with 50 percent of them discovered by Intel engineers. The
following chart shows which platforms had the most CVEs.
Intel only lists two of the CVEs it discovered as “critical,” with
52 being “high,” 147 listed as “medium,” and 25 as low danger. You’ll no doubt
note the unusually high number of vulnerabilities in GPUs, and you might think
that’s from Intel’s very own GPUs, which are embedded in the CPU die. But alas,
a lot of them are actually AMD’s fault. According to the report, “23 of the 37
vulnerabilities in the Graphics Processing Units category were in third party
components, shipped as part of an Intel platform, which links to the CVE page
describing the vulnerabilities found in AMD’s VegaM GL
graphics chip. Back in 2017, Intel shipped Kaby Lake G, which was a platform
featuring an Intel CPU with a separate Vega graphics die designed by AMD,
backed by 4GB of HBM memory. This was back when Intel had only one plus sign
after 14nm, and AMD was still using Global Foundries to make its GPUs.
On the CPU front, Intel says in 2021 it found just 16 CVEs in its
CPUs, compared to 31 for AMD, thus its CPUs are safer. However, there is a
caveat here, which is that Intel doesn’t have access to AMD’s internal security
reports, so it’s only reporting what has been found by external research teams.
Still, AMD’s number is obviously higher, so adding anything internally from AMD
would just make the number go up.
Taken together, counting both CPUs and GPU CVEs, Intel lists
itself as having more vulnerabilities than AMD, however. It says in its report
it’s comparing itself to AMD because both companies offer these products, so it
can be compared. In total, Intel rung up 67 CVEs in 2021 across both markets,
with 16 on the CPU side and 51 on the GPU side. AMD is listed as being
responsible for 58, broken up by 31 for its CPUs, and 27 for its GPUs.
Intel says nothing about how severe the AMD bugs were versus its
own, only that there were more bugs found on AMD CPUs. Severity matters too, as
far as evaluating the overall impact on a CPU or platform — but even severity
is not enough. Some of the speculative execution bugs of the past few years
have been flagged as top-level security problems, but no publicly known hacking
group appears to be attempting to exploit Spectre-type speculative execution
errors to exfiltrate data out of CPUs. In some cases a problem can be rated
“Critical” but have little to no real-world impact due to the practical
difficulty of taking advantage of it.