Knights of Elektron

Invitation/Selection Process

What does “fully-sponsored” vs “non-sponsored” mean?

This is an experiment to broaden the number of hackers and increase accessibility to an event that would otherwise be a very exclusive invitation-only opportunity. Non-sponsored participants will be responsible for their own travel arrangements and expenses to get to and from the event location. Fully-sponsored invitations include travel arrangements provided for you by the event organizers. All activities and opportunities are identical between both participation types.

Could you provide more details about the target? The term “including SaaS running on cloud infrastructure, web applications, APIs, and more” is somewhat unclear.

No, we cannot share any more information right now. The description posted was carefully considered to ensure that we could list the skill categories that would be most impactful for performing security research/testing without unveiling the product or specific product category. Sharing the product information before the event may result in an unfair advantage to some researchers, or encourage other hacking activities leading up to the event which could have a negative impact on the event outcomes and experience for all participants.

What does “fully-sponsored” mean in terms of travel arrangements and accommodations?

Fully-sponsored means that travel and accommodations for the duration of the event (plane or train, and hotel) would be arranged by Intigriti and paid for on your behalf, or in the case of car travel would be paid back based on actual expense incurred. Self-sponsored means that you are responsible for paying for your travel to the event location and your accommodations. Travel expenses are the most significant portion of event costs and by offering a way for some folks to self-fund their travel, we are able to invite more people than is standard for this kind of an event.

“20 Top Intigriti hackers will be fully-sponsored.” Is this referring to the top 20 individuals on the Intigriti leaderboard, or the top 20 individuals on the Intel leaderboard? I am not sure if I should apply or if my current rank will mean I fall into this group already.

These invitation slots are decided by Intigriti and proposed to Intel for consideration and eligibility validation. It is a mix of top people on Intel’s leaderboard, Intigriti’s platform leaderboard, past live hacking event top hackers, and up-and-coming new-to-live-event names. The invitations for these people were already sent so if you are on the list you should have already received the email. When in doubt, please apply! Let us figure out if your application was not needed because you were pre-qualified.

If I am selected to participate and be fully sponsored, but for some reason, I am unable to participate in the event (such as due to unexpected work commitments during the period from October 6th to October 22nd, 2023), what should I do to cancel my participation?

Due to the in-person design of this event, we are very interested in making sure that we select people who will be able to both (1) commit time to attend the technical sessions and perform hacking/research during the first week (at home) and (2) travel to Portugal for the second week of the event (Oct 18-22) for all of the in-person activities and hacking time. If you are selected but later find out that you need to back out and cancel your participation, we ask for as much notice as possible. This enables us to hopefully cancel your travel arrangements and, if given enough notice, re-use that funding to invite a different person who will be able to attend. In the case where someone accepts an invitation but does not attend the event, it may be recorded as a negative mark and is likely to prevent inclusion in future exclusive events like this (both by Intel and by Intigriti).

We urge you to apply, noting both skillsets you currently have and skillsets you are interested in learning. Leave it up to Intel and Intigriti to evaluate your application and determine if we think you would be a good fit for this event. Even if you are not selected for full-sponsorship, you may still have the opportunity to self-sponsor your travel to participate. The application process will result in 20 candidates receiving fully sponsored invitations to the event, but we will have another 50 invitations that we may extend to candidates who indicate they are willing to self-sponsor their travel to the event.

I really want to be invited so I will wait until the last day to apply. That allows me to keep hacking and reporting bugs to programs on the Intigriti platform so I can boost my platform stats which will improve my chances of being selected.

Please submit your application ASAP. A submission on day 1 or day 20 of the application process will be treated the same. The statistics-based invitations will have already been sent to qualified hackers. Increasing your stats on the platform will not increase your chances of being selected.

NDA + CVD

Is there a defined timeframe that the NDA is effective?

Yes. The effective dates of the NDA are listed within the NDA. Expectations are to preserve confidentiality of covered materials from the time participants receive those materials until 5 years after receiving the materials.

What specifically does the NDA cover?

Please read your specific NDA to see what is covered for the event. The Project Circuit Breaker NDA used for each event is designed to protect information that is shared by Intel to participants, and protect information shared by participants to Intel. In general, though, Project Circuit Breaker events are individually crafted to enable security researchers to get a jump start performing research against a specific Intel product or technology. We make that happen by curating product specific training sessions, Q&A time with product engineers and experts, and technical information about the target or related technologies/products/components. These materials are a mixture of existing content and custom content created especially for the event and are not accessible to the public, which is why the event requires an NDA.

Can I share with others that I’m participating in the event?

Absolutely. Please do! You are welcome to share that you were accepted to the event (and link to the website), the location of the event, how long you will be there, and that you are working with Project Circuit Breaker. Please refrain from discussing the subject matter of the research. If you have concerns, please ask someone from our team and we will be more than happy to review what you’d like to publish.

Does the NDA cover vulnerability information?

Yes, the NDA includes a requirement to follow Coordinated Vulnerability Disclosure (CVD) practices. The expectations are described in greater detail here: https://www.intel.com/content/www/us/en/security/security-practices/coordinated-disclosure.html.

What are the penalties for violating any of the event terms, including the Bug Bounty Program Terms, Community Code of Conduct, KoE Rules of Engagement, and NDA(collectively, “Event Terms”)?

Intel retains the discretion to impose the appropriate penalty for violating Event Terms, which may include (but is not limited to) removing the researcher from the event, denial of bounties, or suspension on the BB platform.

Can I speak/write about a vulnerability I find in a redacted or non-specific way which does not reveal the target? If not, for how long?

Vulnerabilities identified during the Knights of Elektron event are not eligible for disclosure by Intel. After a mitigation or other remediation has been published for the affected product(s), researchers will be notified and may then be eligible to publish information about their research.

Target

Was the live recon event in Las Vegas against the same target we’ll be hacking on in Portugal?

The event in Las Vegas was designed to give Intel critical information about a target, to create advertising collateral for a future keynote by the Intel CTO, and to bolster the Project Circuit Breaker program/brand.

Do the people who attended that Las Vegas event have an advantage?

No. This event is significantly different from the August event. Giving researchers an even/fair playing field is something we are acutely aware of and we worked very hard to provide everyone who participates in this event an opportunity to showcase their unique experience and skills.

Can you tell us about the target?

No information about the target will be released prior to the event official kickoff on October 6.

Is this a hardware product? I don’t think I’m qualified for that.

No, this is not a hardware product. The target is a brand-new type of product that Intel has not sold before.

Without revealing the product, in which dimension would it be? Mobile, web, binary, firmware, etc.?

The targets for this event will be revealed during the kickoff call on October 6th. Us sending you an invitation is an indication that we think your skillset probably aligns with the targets we are planning.

We are receiving training and gaining experience with this new product, will it be around to hack on after the event?

Please review the Intel Bug Bounty Program Terms to understand if any product(s) featured in this event will be eligible for rewards after the event ends.

When will the product team start fixing bugs? Will it be before or after the dupe window ends? Will the severity of vulnerability impact the speed?

Our goal is to ensure the product(s) are available to hackers during the entire event window (Oct 6 – 21). Bug fixing during this timeframe should happen only if required to ensure the product(s) are stable and available for continued hacking.

Technical Sessions

When will technical sessions be planned?

The list of the workshops and training sessions is in the Rules of Engagement.

Will the technical sessions be recorded?

Yes. They will be recorded and made available to participants during the event. These recordings are covered by the NDA and must not be retained after the event or distributed to anyone.

Event Format + Logistics

How many people are coming?

Approximately 100 hackers and staffers will be in attendance.

Can I bring a friend to hack with me?

Can you invite X person? They missed the signup time.

No. The participants list was closed as of September 10th. The participation seats were carefully considered, and many opportunities were made available to ensure as broad an audience could join as possible. We encourage you and your friend to both apply for future Project Circuit Breaker events together.

Why do this in Lisbon?

The event planning team explored hosting the event in a variety of locations all over the world. Some factors that went into the decision included event management costs and ease of access for researchers and event staff (visas, travel time, time zone adjustments, etc).

Are people allowed to participate remotely?

No. We have designed this as an in-person event. If an emergency comes up (e.g. ill during departure day, visa issues, etc.), the Bug Bounty Team will review each case individually.

The event starts on October 6th, does that mean we can start submitting reports before arriving on-site?

Yes, as soon as we announce the target during the kickoff call, submissions will be open.

Will there be a dupe window?

Yes there will be a dupe window and the details will be announced during the kickoff call. There will be bounty splitting.

This is my first time attending a “live hacking event”, is there a brief info on what all happens during these events?

Are we supposed to do all the hacking offline at home? Isn’t a bit against the spirit of onsite live hacking events?

This event will follow the standard live hacking event: about 2 weeks online followed by a few days on-site. A detailed schedule is provided in the Rules of Engagement document and will be discussed during the kickoff call. Submissions open on the 6th and close on the 21st. The first 11 days of the event (Oct 6 – Oct 17) will include lots of content provided and hosted by Intel. Then, we have allotted approx. 36 hours for travel time, followed by 3 on-site days (Oct 19 – 21). On the 19th and 20th everyone is welcome to explore the hotel and surrounding area, and are encouraged to collaborate and make the most of the time and co-location with each other and the Intel and Intigriti team members. Additionally, we will be providing a variety of meal and social gatherings/activities during these on-site days. On October 21st, everyone will gather for the big finale day which will culminate in show & tell presentations and awards.

Has the transport to and from the airport been figured out, or is that something we figure out on an individual basis?

Transportation to and from the airport and all activities will be arranged for you. The hotel is close to the airport and there are a variety of ways to get between the two. When you arrive at the airport, look for an Intigriti employee who will help you get to the hotel. A detailed itinerary and instructions will be available closer to the event.

How will vulnerability scoring be handled?

We will be scoring on CVSS 3.1, as stated in the Program Terms. The Intigriti Triage team will be the first team to review and set a score. The Bug Bounty team and product team will also review the vulnerability and provide input to set the score. We urge hackers to submit your reports with a CVSS vector and include justification for the vector components to assist in that determination process. Intel will be the final decision maker on vulnerability scoring.

Rewards

What will the bounties be?

The bounty schedule will be made available during the kickoff call on October 6. The payout scales have been reviewed by a group of experts and were developed using experiential data models.

Will there be bonuses? What are they?

Yes. A list of bonuses and criteria to earn them will be made available during the kickoff call on October 6th. If you have ideas for bonuses, please email projectcircuitbreaker@intel.com.