
Intel Expands Bug Bounty Program - taspeotis
https://newsroom.intel.com/news/expanding-intels-bug-bounty-program/
======
adrianN
Cheaper than expanding the internal testing department?

~~~
make3
do you have any factual reason to think they're not doing both

~~~
adrianN
If I had information about Intel's internal budgeting I probably would not be
allowed to tell HN.

------
arkadiyt
Does anyone know if Project Zero has a policy on submitting issues found to
bug bounties? Curious if they get to "double dip"

~~~
SheinhardtWigCo
How would that be "double dipping"?

~~~
arkadiyt
Because they get full time salaries from Google for bug hunting.

~~~
ars
That's not really double dipping, that's more of a bonus.

~~~
SteveNuts
But it causes an enormous conflict of interest...

Hey Bob can you make a bug, I'll report it, and we'll split the pot?

~~~
throwaway613834
Confused, which company would Bob be working for here? How would he make a
bug?

~~~
lowpro
Also is there not always a conflict of interest with bug bounties anyway, as a
friend of an employee could always 'find a bug' somewhere. I'm not sure I see
the how being Project Zero or a normal user makes a difference.

------
jimmies
What a coincidence. Just today, I released the project that I've been holding
off for more than a year: Basically, it is a distro [1] for the Raspberry Pi
that sole purpose is to clean the Intel ME automatically using me-cleaner from
Chromebooks and Thinkpads. The whole idea is to make it dead simple so more
and more people can DIY the ME removal process with their own laptop/desktop.

I thought to myself, it's nice to not have the problem in the first place. It
won't help you with certain problems such as Spectre, no, but reducing the
surface of attack is not a silly thing. There are things you can't avoid even
with the best intentions. But there are things that you can.

The name of it is ezpi4me [2]. Of course, it's pretty experimental. You might
not want to experiment with it (yet?). It's not very practical, yet, for an
inexperienced individual to open a laptop, risk bricking by fiddling with a
flash chip.

I put a lot of thoughts in it before I decided to release this. To me
personally, it's more of a symbolism/a protest than it's practical. The
project is the inner me saying, maybe instead of complaining, I'd have to get
up my butt and do a tiny thing to help the cause I believe in. I despise the
practice of shoving _mandatory_ opaque, backdoor binary blobs to their
hardware -- and incentivizing people from saying their shitty binary blobs
have security problems by offering hackers/security researchers a shitload of
money so they shut up and cooperate. What it entails is that what can be
bought by a lot of money from Intel can be bought by even more money from
other people. It really rustles my jimmies.

We'd have to start somewhere. Perhaps a year from now, someone will figure out
an even easier, better way to achieve the same result. Or perhaps, it will be
easy enough to the point that some guys on eBay/Amazon/brick and mortar stores
will use my software to clean the ME from laptops they sell en-masse as a
factor of differentiation. I hope it will be another step up in terms of
usability and adoption from me_cleaner. With that hope, I'm just donating a
couple of sleepless nights of my life working on a software that might
jeopardize my career and make a lot of people upset. But fuck all that, I'm
doing it anyway, for once I can say I'm the change that I want to see.

\--

1: Technically, it's just a script to create a distro based on raspbian lite,
so everything can be inspected. That is on purpose because I don't want to
advocate replacing the 3MB Intel ME blob with jimmies' blob, which is a 2GB
image that you run on your Pi and program your computer's UEFI firmware/BIOS.

2: [https://github.com/htruong/ezpi4me/](https://github.com/htruong/ezpi4me/)

