16 intel.com/responsibility 2021-22 Corporate Responsibility Report Cybersecurity and Product Security At Intel, security comes first both in the way we work and in what we work on. Our culture and practices guide everything we build, with the goal of delivering the highest performance and optimal protections. As with previous reports, the 2021 Intel Product Security Report demonstrates our Security First Pledge and our endless efforts to proactively seek out and mitigate security issues. We recognize that massive shifts in how we live, work, connect, and communicate increase the need for technologies that people trust, built on a foundation of security. We prioritize security in two ways: in the way we work, through our culture and practices aimed at delivering high performance and protections in everything we build; and in what we work on, through our relentless pursuit of security-driven innovations that help our customers tackle today’s toughest challenges. Security Technologies Strategy. To meet the challeng - es of computing that spans cloud to edge and devices, security must be a continual focus. We understand the complexity that results from the ongoing computing transformation. We have deep experience in enabling security, as well as a comprehensive suite of technolo - gies that help secure entire systems and deliver defense in depth. We engineer security solutions to meet specific challenges centered around three key priorities: foun - dational security to help systems come up as expected, workload protection to improve security of data in use, and software reliability to build in hardware-based pro - tections against common software threats. Comprehensive Security Practices. Through the Security Development Lifecycle (SDL), we apply security and privacy principles at six phases, from planning through release and post-deployment. SDL covers Intel® hardware, firmware, and software products. In release and post-deployment, an essential part of our product support is ongoing security research and mitigations. In 2021 we expanded our Bug Bounty Program , which incentivizes security researchers to report vulnerabilities in Intel products. We began rewarding researchers with bonus multipliers for findings in specific areas of interest, leading to mitiga - tions and improved security in an array of products. We also work across the industry to improve security; when a vulnerability is identified, we work with affected partners to develop and release mitigations. We align on disclosure to minimize potential threats while we work to address the vulnerability. Security Research. Continuous improvement is made through investments in offensive research on the security of our products. We have a dedicated team of experts who continually research and test products internally. Internal security research for 2021 accounts for 50% of the issues addressed and an additional 43% were reported through Intel ’ s Bug Bounty Program. This work is scaled through practices that include red teaming and hackathons. We use what we learn to improve our products and practices, and we collaborate with world- class industry partners, global security researchers, and academic institutions to advance security research across the industry. For more information, visit Product Security at Intel or read our Intel Product Security 2021 Report . In addition, our Cyber Security Inside podcast series provides insights on cybersecurity-related trends to information security and industry executives. Planning and assessment Architecture Design 1 4 2 3 5 6 Implementation Security validation Release/ post deployment Security Development Lifecycle Securing Intel’s Supply Chain Our sourcing and manufacturing practices are built on decades of experience and aligned to industry-leading processes. Our supply chain security program leverages this expertise and has embedded security controls through - out the vendor lifecycle. Intel’s supply chain security risk management program is derived from standard industry risk management frameworks such as NIST and ISO and provides security assurance through the integration of security controls throughout sourcing and supplier management practices. Security expectations begin at supplier selection. Expectations are then reinforced through contractual security terms and conditions, recurring information security audits, ongoing security key performance indicators, and recurrent required training. Our Cybersecurity Supply Chain Risk Management (C-SCRM) program executes hundreds of information security supplier audits annually and is aligned to standard industry information security management frameworks, including ISO 27001 and NIST 800-30. Additionally, we continuously monitor the cybersecurity posture of our suppliers through a third-party security ratings platform and have a dedicated third-party cyber incident response team. We are also committed to advancing evolving supply chain security standards and policies by working with governments, organizations, and industries. Visit our Sourcing and Manufacturing Security site to learn more.   Introduction Responsible Inclusive Sustainable Enabling Appendix Our Business