Intel Celebrates Successful Year of Bug Hunting

None of the 231 vulnerabilities patched by Intel in 2020 are known to have been exploited, the company boasted in its annual product security report published today. None of the 231 vulnerabilities patched by Intel in 2020 are known to have been exploited, the company boasted in its annual product security report published today. Of the common vulnerabilities and exposures (CVEs) addressed last year, Intel claims 92% were the direct result of investments it made to ensure the security of its product line. In other words, the vulnerabilities were found and patched because Intel and its partners were looking for them. “We design with security in mind,” the report’s authors wrote. “Developing the strongest products demands that security is more than a one-time event.” Last week, Martin Dixon, VP of security architecture and engineering at Intel, detailed the various ways Intel approaches security. These practices range from building advanced security features into the silicon to working with outside sources to find and remediate issues before they can be exploited. And according to the report, this approach appears to be working. Of the CVE’s discovered, 47% were identified by Intel employees while 45% of CVEs were reported via the company’s bug bounty program. Just 17 threats were found by organizations that have not traditionally sought bounty payments, the company noted. Since it was established in 2018, Intel’s bug bounty program has paid out an average of $800,000 a year. And in 2020, the number of threats identified through the program jumped 30% to 105 CVEs compared to 70 the year prior. Meanwhile, Intel reported a 62% increase in the number of external security researchers engaging in the program in 2020. While none of the CVEs are known to have been exploited, the vast majority were medium (131 CVEs) and high (80 CVEs) severity. These disproportionately impacted the company’s server boards, networking, and Converged Security and Management Engine. Meanwhile, just six CVEs were found to be critical and 14 CVEs were considered low risk. Intel continued to focus much of its attention on core platform protections and related firmware issues in 2020, relying heavily on external researchers to identify vulnerabilities in the vast array of Intel software drivers and utilities. While 69% of firmware threats were identified internally by Intel, 83% of software vulnerabilities were found by external researchers, the report found. Of the total CVEs discovered in 2020, Intel said 93 (40%) were software related, 66 (29%) were in firmware, 58 (25%) affected both software and firmware, and 14 (6%) were found to be hardware exploits. “The majority of external research in 2020 focused on software drivers for networking, graphics, and Bluetooth components followed by potential vulnerabilities in various software utilities available for download in the Intel download center,” the report said.