I've already read articles that some of the vulnerabilities were found more than a year ago. And as others reported similar exploits, they grouped them all together into 2 "teams" and made the PR release all at once. The only reason we're hearing anything now, is that I heard the team who found the first bug threatened to leak since it had been a whole year. The first bug was discovered a year and three days ago. If they didn't threaten to leak, god knows how long Intel would have spent collecting bugs.
This CPU "bug" is actually 4 different CVE's, some quite different from the others, and presumably discovered at various times over the past year.
Just scummy as hell by Intel. They #1 forced a bunch of different researchers who found different bugs to split the bounty, #2 aggregated the bugs rolling in for more than a year to minimize impact. That's on top of the attempted bribery and rumors that the microcode + patches do not fully mitigate leaks between hyper threads.
And for the argument that they didn't have enough time at one year... They had enough time to fix and release new silicon! Intel states that chips made in the last month are fixed at a hardware level. It's orders of magnitude harder to ship silicon than software, so my assumption is that the fixes for existing chips have been ready for a while. They've just been sitting, waiting
When the impact is new microcode for every out-of-order CPU going back to Sandy Bridge that's not on its face entirely unreasonable. The date for the new microcode for my Ivy Bridge workstation I'm typing this on is 2019-02-13; if testing followed that.... Could even be they wanted to further delay release until they could do more testing.
> They had enough time to fix and release new silicon!
And properly test it?
> giving them money to delay announcement until you've fixed the bug
And this is why it is a bribe. Sure, maybe you feel this isn't ethically problematic in which case you could just take it.
If I were a researcher, I'd be happy to delay for 6 months for a reward, but I would consider it morally bad to delay forever for a reward.
In the case of bug bounties, one self-interested reason for them is to provide an alternative to the black market in vulnerabilities.
Really? What if a nation state actor has discovered the same bug. Do you want to keep the world vulnerable for a 6 month window?
Also, most European university researchers are funded through taxpayer money. They should do what is best for the general population, not what is best of some company's stock value.
There exist far more bugs than discovered bugs. By revealing it, I put some people at risk (those who fail to update), and by hiding it I put more people at less risk (everyone, but only if someone else discovers the bug).
It's a tradeoff, but 6 months is a good window for most people to update, while there still not being too much chance of the bug being independently discovered.
This is absolutely not a given. While it might be partially true, they are frequently also funded through corporate grants.
Who knows how many other actors discovered the same bugs and didn't say anything? Likely multiple, honestly.
We've finally run into a real life proof of why bug embargoes are bad. This is the first time I know of that multiple people independently discovering the same thing before the embargo period was over.
It's interesting to see that policies differ so much even inside of the relatively wealthy parts of Europe :)