Friday, May 17th 2019
Intel Tried to Bribe Dutch University to Suppress Knowledge of MDS Vulnerability
Cybersecurity researchers at the Vrije Universiteit Amsterdam, also known as VU Amsterdam, allege that Intel tried to bribe them to suppress knowledge of the latest processor security vulnerability RIDL (rogue in-flight data load), which the company made public on May 14. Dutch publication Nieuwe Rotterdamsche Courant reports that Intel offered to pay the researchers a USD $40,000 "reward" to allegedly get them to downplay the severity of the vulnerability, and backed their offer with an additional $80,000. The team politely refused both offers.
Intel's security vulnerability bounty program is shrouded in CYA agreements designed to minimize Intel's losses from the discovery of a new vulnerability. Under its terms, once a discoverer accepts the bounty reward, they enter into a NDA (non-disclosure agreement) with Intel, to not disclose their findings or communicate in the regard with any other person or entity than with certain authorized people at Intel. With public knowledge withheld, Intel can work on mitigation and patches against the vulnerability. Intel argues that information of vulnerabilities becoming public before it's had a chance to address them would give the bad guys time to design and spread malware that exploits the vulnerability. This is an argument the people at VU weren't willing to buy, and thus Intel is forced to disclose RIDL even as microcode updates, software updates, and patched hardware are only beginning to come out.
Update: (17/05): An Intel spokesperson commented on this story.
Intel contacted us with a statement on this story pertaining to the terms of its bug bounty program:
Sources:
NRC.nl, EverythingIsNorminal (Reddit)
Intel's security vulnerability bounty program is shrouded in CYA agreements designed to minimize Intel's losses from the discovery of a new vulnerability. Under its terms, once a discoverer accepts the bounty reward, they enter into a NDA (non-disclosure agreement) with Intel, to not disclose their findings or communicate in the regard with any other person or entity than with certain authorized people at Intel. With public knowledge withheld, Intel can work on mitigation and patches against the vulnerability. Intel argues that information of vulnerabilities becoming public before it's had a chance to address them would give the bad guys time to design and spread malware that exploits the vulnerability. This is an argument the people at VU weren't willing to buy, and thus Intel is forced to disclose RIDL even as microcode updates, software updates, and patched hardware are only beginning to come out.
Intel contacted us with a statement on this story pertaining to the terms of its bug bounty program:
"We [Intel] believe that working with skilled security researchers across the globe is a crucial part of identifying and mitigating security vulnerabilities. One of the ways we engage with researchers is through our bug bounty program. We provide a clear overview of our bug bounty program requirements, eligibility and award schedule on our website."
87 Comments on Intel Tried to Bribe Dutch University to Suppress Knowledge of MDS Vulnerability
phoronix.com/scan.php?page=news_item&px=Zombie-Load-Gaming-Impact
This with HT ON, I'm afraid to imaging with OFF.
Edit: He just posted complete test:
www.phoronix.com/scan.php?page=article&item=mds-zombieload-mit&num=1
Can someone give us some info how the Big Data Center clients react for such decrease in performance? Loosing 10%~40% in 1 day should make some noise, what they gonna do now to get back to 100% ? Add more Cabinets or what? who is paying for this? Intel?
www.nrc.nl/nieuws/2019/05/14/hackers-mikken-op-het-intel-hart-a3960208
I don't see that as bribery as it probably falls under the Bug Bounty program umbrella.
Good Lord, Intel. How you have fallen …
Now we know what they tried to sweep under the carpet!
Smartcom
Researchers: We already did but you haven't fixed the issues yet.