Snack-n-Hack Rules of Engagement
A. General Timeline
This timeline covers only the technical and hacking-related activities. For more up to date information about meals and other notable events, please see the event itinerary. Dates and times are subject to change without notice.
Date | Time | Event |
August 9 | 12:00 PM PST | Doors open |
August 9 | 12:30 PM PST | Kickoff Announcements Scope Phase 1 Available Submissions openRefreshments available |
August 9 | 6:00 PM PST | Dinner |
August 10 | 12:00 AM PST | Scope Phase 2 Available |
August 10 | 7:30 AM PST | Breakfast |
August 10 | 12:00 PM PST | Scope Phase 3 Available |
August 10 | 12:30 PM PST | Lunch |
August 10 | 6:00 PM PST | Dinner |
August 11 | 12:00 AM PST | Scope Phase 4 Available |
August 11 | 7:30 AM PST | Breakfast |
August 11 | 10:00 AM PST | Announcement: Final Call for submissions |
August 11 | 12:00 AM PST | Submissions Close |
August 11 | 12:30 PM PST | Lunch |
August 11 | 1:30 PM PST |
Awards |
Hang out around the hotel, partner up with some peers, share your tools, techniques, half-complete bugs and see if someone can help you turn it into a full vulnerability. Intel/Intigriti meetings available by request, please reach out via Slack to schedule. All on-site team members will also be available throughout the day and may congregate in certain areas of the hotel. See Slack for more real time location or activity information.
NOTICE: This event is hosted with a best-effort level of support. No service level agreements or deadlines will be provided.
B. Scope
Scope will be announced at the event and will cover three categories of web/SaaS products:
- Primary Target
- Secondary Target
- Mystery Target
Each numbered ‘Scope Phase’ will have unique assets in scope. All submissions must be received during the designated Scope Phase to be eligible for rewards.
† Note: Intel infrastructure and information technology systems are not eligible for bounty and CVEs will not be issued for findings in these areas. If you believe you have an opportunity to escalate/pivot a vulnerability from one of the in-scope products listed to access or exploit another target outside of the defined scope, Intel must grant explicit approval before testing occurs.
Intel wants participants to focus on any Intel branded product(s) and system(s) within the provided product(s). All non-Intel components will be considered out-of-scope. Any submissions on third-party products will be passed along to the product vendor, however Intel will not pay for these issues. It is recommended that participants do not focus their time on non-Intel branded products. This event does not expand the Intel Bug Bounty Program; the product(s) included in this event are in scope only for the duration of this event unless otherwise stated on the Intel(R) Bug Bounty Program Terms page.
If issues reported to our Bug Bounty Program affect a third-party library, external project, or another vendor, Intel reserves the right to forward details of the issue to that party. Intel will do our best to coordinate and communicate with researchers through this process.
C. Rules
- All Intel(R) Bug Bounty Program Termsapply to this event unless superseded by a rule stated here or express written permission is authorized by both Intigriti and the Intel® Bug Bounty Program.
- All data and reports must be submitted through the Intel program on Intigriti with a timestamp between the open and close of the submission window and during the designated Scope Phase.
- Participants agree that all information, recordings, documents, or other materials offered for their use during this event will not be shared beyond other event participants and event staff. All such materials must be removed from participants’ systems at the conclusion of the event.
- Public disclosure is not authorized for any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability during this event.
- Participants will not discuss technical details of issues found during this event (outside of approved channels) without prior approval from Intel.
- Participants will act in an ethical manner in all situations during this event. Intel commits to adhering to the standards outlined by the FIRST.Org Ethics SIG.
- Participants will comply with the principles of Coordinated Vulnerability Disclosure as outlined by ISO/IEC 29147 and 30111.
- Participants agree that all testing and network traffic will originate outside the People’s Republic of China.
- Participants will ask and wait for explicit permission from Intel before performing escape, escalation, or other system pivot-type exploitation.
- All submissions must be made at the event, any submissions received while the reporter is not present at the event will not be eligible for rewards. Submissions will be tagged with a unique identifier by Intel staff to indicate it was submitted at the event.
D. General Communications
This is a private event for Intel. As such, it is important to be conscious of what you say about this event in the public sphere. Intel intends to make a public announcement of this event and commits to publicly recognize researchers that participate in this event.
- Live meetings with Intel engineers over video conferences may be provided at regular intervals throughout the course of this event. This is an opportunity to ask any technical or scope questions to the Intel team.
- Slack channels have been created and will be monitored by Intel.
- All communication should be restricted to the slack.com Slack workspace, unless having private discussions with the team.
- Private discussions via email communications between participant and Intel/Intigriti should be encrypted via PGP key provided by Intel/Intigriti.
- Private discussions should always include a representative from Intigriti and the Intel team.
- Over the course of the event, Intel may provide public updates on the status of the event.
E. Recognition Plan
Intel may not publish a CVE or public security advisory for vulnerabilities reported by participants during this event.
Intel asks participants to not share any vulnerability information publicly, either during or after the event, without explicit written permission from Intel.
F. Bounty Schedule
The Bounty Schedule is subject to change without notice.
Severity | Bounty (up to) |
None/Informational | $100 |
Low | $500 |
Medium | $1,000 |
High | $3,000 |
Critical/Exceptional | $5,000 |
Exceptional Bonus | $2,500 |