Intel is expanding its Bug Bounty program with Project Circuit Breaker, bringing together a community of elite hackers to hunt bugs in firmware, hypervisors, GPUs, chipsets and more. Project Circuit Breaker broadens and deepens Intel's existing open Bug Bounty program by hosting targeted time-boxed events on specific new platforms and technologies, providing training and creating opportunities for more hands-on collaboration with Intel engineers. Project Circuit Breaker's first event, Camping with Tigers, is already underway with a group of 20 researchers who received systems with Intel Core i7 processors (formerly "Tiger Lake").

Project Circuit Breaker is possible thanks to our cutting-edge research community. This program is part of our effort to meet security researchers where they are and create more meaningful engagement. We invest in and host bug bounty programs because they attract new perspectives on how to challenge emerging security threats - and Project Circuit Breaker is the next step in collaborating with researchers to strengthen the industry's security assurance practices, especially when it comes to hardware. We look forward to seeing how the program will evolve and to introducing new voices to the meaningful work that we do."
-Katie Noble, director, Intel Product Security Incident Response Team (PSIRT) and Bug Bounty

Thanks to the report of ZDnet, we have information that Sony has launched a bug bounty program for its Playstation console. Sony will pay security researches upwards of $50K for a bug they discover. Of course, there are smaller rewards and it depends on what type of bug is discovered. The starting amount for the bug bounty program is $100. The area of bug exploits includes Playstation Network, the PlayStation 4 console itself, and the PS4 operating system. The bug bounty program is going to be available and managed through the HackerOne platform, where multiple companies like PayPal, Slack, etc. keep track of bugs and offer rewards for them. You can check out the Playstation bug bounty program here.

Riot Games has come under fire recently for its "Vanguard" anti-cheat software found in their new game Valorant due to the use of kernel-mode drivers with Ring 0 privileges. This raised several important security and user concerns around system security and stability, while not solving the root problem Riot Games has in response released a new blog post detailing the workings of the "Vanguard" anti-cheat software. This blog post was paired with an announcement that Riot Games would be increasing the maximum payout available from their bug-bounty program and introduce a new "Vanguard" scope to help further improve security. Riot Games has also introduced new updates to Valorant which will allow users to disable "Vanguard" from the system tray when not in-game, however, this will lock the player out of Valorant until the computer is rebooted. In addition to the system tray changes is an option to fully uninstall the "Vanguard" software from the user's computer has been added at long last.

Cybersecurity researchers at the Vrije Universiteit Amsterdam, also known as VU Amsterdam, allege that Intel tried to bribe them to suppress knowledge of the latest processor security vulnerability RIDL (rogue in-flight data load), which the company made public on May 14. Dutch publication Nieuwe Rotterdamsche Courant reports that Intel offered to pay the researchers a USD $40,000 "reward" to allegedly get them to downplay the severity of the vulnerability, and backed their offer with an additional $80,000. The team politely refused both offers.

Intel's security vulnerability bounty program is shrouded in CYA agreements designed to minimize Intel's losses from the discovery of a new vulnerability. Under its terms, once a discoverer accepts the bounty reward, they enter into a NDA (non-disclosure agreement) with Intel, to not disclose their findings or communicate in the regard with any other person or entity than with certain authorized people at Intel. With public knowledge withheld, Intel can work on mitigation and patches against the vulnerability. Intel argues that information of vulnerabilities becoming public before it's had a chance to address them would give the bad guys time to design and spread malware that exploits the vulnerability. This is an argument the people at VU weren't willing to buy, and thus Intel is forced to disclose RIDL even as microcode updates, software updates, and patched hardware are only beginning to come out.Update: (17/05): An Intel spokesperson commented on this story.

(Editor's Note: This move by Intel aims to expand their bug-bounty program to specifically include side-channel attacks, such as those that can be leverage on the Spectre and Meltdown exploits. The company is also increasing the rewards it will give the researchers who find new flaws, a move that aims to employ the masses' knowledge and ingenuity to try and reach the hard-earned bonus at the end of the vulnerability - all while saving Intel much more money than it's paying to bug hunters.)

At Intel, we believe that working with security researchers is a crucial part of identifying and mitigating potential security issues in our products. Similar to other companies, one of the ways we've made this part of our operating model is through a bug bounty program. The Intel Bug Bounty Program was launched in March 2017 to incentivize security researchers to collaborate with us to find and report potential vulnerabilities. This, in turn, helps us strengthen the security of our products, while also enabling a responsible and coordinated disclosure process.

While Microsoft has been offering bug bounty incentives since at least 2012, Google has arguably been much more vocal in its bug bounty programs. The company recently increased the maximum payout in its bug bounty programs (mainly focused on Android) to a staggering $200,000, and now Microsoft is not only following suit - it's upping the game.

With the Windows Bounty Program, which Microsoft announced yesterday, the company is looking towards an increased incentive to security-hardening suggestions from tech-savvy users. This program will extend to all features of the Windows Insider Preview in addition to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge. And incentives starting at $500 and going all the way up to $250,000 are very, very respectful.

It's never fun to be contacted by a legal department and be told that something you bought online is not rightfully yours. Still, this occasionally does happen in the case of intellectual property that has been misplaced and is not supposed to be resold. Example: The case of Reddit user Khemist49, who found himself in possession of a CD-ROM claiming to be the original source code for the game "StarCraft." Where did he get said disc? A box of "old Blizzard-related stuff" he bought on Ebay in April. Thinking he had something special, he posted on Reddit asking what to do with it.