Ever since the Spectre and Meltdown CPU vulnerabilities prompted a security reckoning for Intel in 2018, the chipmaker has been doubling down on investments in product security, which included the formation of the Intel Product Assurance and Security group as well as a bug bounty program.
Those investments have also included more public-facing communications, such as Intel’s 2020 Product Security Report, which came out Wednesday and outlines where the company found vulnerabilities in its products, how severe they were and how Intel worked with external researchers. None of the 231 vulnerabilities addressed by Intel in 2020 had known connections to actual attacks, the company said.
“Transparency is part of Intel’s security first commitment and this report is representative of how we seek to lead through accountability,” Intel said in the report. “In an ever-changing threat landscape, providing the right information for customers to properly assess risk is a responsibility we embrace as we continue on our journey to be the trusted performance leader that unleashes the potential of data.”
In the report, Intel outlined its processes for developing products with security in mind. Those processes include Security Development Lifecycle, which focuses on security at the early stages of a product and which has been in use since at least 2009, according to the company. The company also has a process called Compute Lifecycle Assurance, which focuses on security for the entire life of a product.
The report also outlined Intel’s offensive research capabilities, which includes teams that identify and resolve vulnerabilities in products, as well as collaborations with organizations like the Confidential Computing Consortium, the National Institute of Standards and Technology and MITRE, the latter of which maintains the common vulnerabilities and exposures (CVE) system.
What follows are the five biggest takeaways from Intel’s product security efforts in 2020, which includes how many vulnerabilities were uncovered by Intel versus external research, which product areas had the most vulnerabilities uncovered and how severe the issues were.
Intel’s Bug Bounty Program Got A Lot More Engagement
Since establishing its bug bounty program in 2018, Intel said it has paid out an average of $800,000 per year for external researchers who uncover new vulnerabilities in its products.
In 2020, Intel saw a 33 percent increase in the number of bounty submissions, bringing the total CVE count to 105 compared with 70 in the previous year. At the same time, the number of security researchers contributing to the program increased 62 percent.
Intel’s Internal Research Uncovered Most Vulnerabilities
Intel said its internal security research team uncovered the most product vulnerabilities in 2020, covering 47 percent of all CVEs addressed. External researchers in Intel’s bug bounty program, on the other hand, uncovered 45 percent. The remaining 8 percent of vulnerabilities were found by Intel partners, customers and organizations that weren’t part of the bug bounty program.
This represented a more event split between internal and external researchers than in 2019, with Intel representing a smaller share of vulnerabilities uncovered as a result. The total number of vulnerabilities addressed by Intel in 2020 was 231 versus 236 the year before.
Most Intel Vulnerabilities Were In Software, Firmware
Out of the 231 vulnerabilities addressed by Intel in 2020, 93, or 40 percent, were found in software, which includes driver updates, applications and software utilities. The second most prevalent category was firmware — which included the BIOS, Intel Management Engine and firmware for graphics and networking products — with 66 reported vulnerabilities, or 29 percent.
Those two categories were followed by firmware and software combined, which Intel said is a separate category for instances “where firmware and software updates are delivered together to mitigate an issue.” The firmware and software category represented 58 vulnerabilities, or 25 percent. For hardware, which included microcode updates, there were 14 reported vulnerabilities, or 6 percent.
Most Of Intel’s Vulnerabilities Had A Medium Severity
Intel said most of the 231 vulnerabilities last year had a medium severity. That was followed by vulnerabilities with high, low and critical severities, with each severity level representing to what extent a malicious actor can take advantage of such vulnerabilities.
The number of vulnerabilities with a medium severity was 131, representing 57 percent of total vulnerabilities. Intel said a medium severity means a vulnerability can be triggered by an authenticated user who has physical access to the system or is on the same physical network.
There were 80 high-severity vulnerabilities, representing 35 percent of the total reported last year. Only six critical-severity vulnerabilities were reported, representing 3 percent of the total. Intel said critical- and high-severity issues consist of cases when a vulnerability can be triggered by an unauthenticated user or from outside the local area network.
The level of severity is based on the Common Vulnerability Scoring System, an open framework that assesses vulnerability severity based on static or dynamic characteristics as well as those that are unique to different user environments.
Intel Server Boards, Graphics, CSME Had A Lot Of Vulnerabilities
The product areas with the most reported vulnerabilities in 2020 were Intel server boards, graphics, software utilities and Intel Converged Security and Management Engine, or CSME for short.
Intel broke down vulnerabilities by product areas into two groups: those found by internal researchers and those found by external researchers. For those found by Intel’s internal researchers, the most prevalent product areas were Intel CSME, Intel server boards, networking and bios.
The vulnerabilities found by external researchers represented a much wider range of product areas. The product areas with the highest number of uncovered vulnerabilities were graphics, software utilities, Intel CSME and Intel server boards. Also up there were CPUs, which Intel said represents potential side-channel vulnerabilities that were found by academic institutions and security research organizations.