• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Intel Tried to Bribe Dutch University to Suppress Knowledge of MDS Vulnerability

Status
Not open for further replies.

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
47,301 (7.52/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
Cybersecurity researchers at the Vrije Universiteit Amsterdam, also known as VU Amsterdam, allege that Intel tried to bribe them to suppress knowledge of the latest processor security vulnerability RIDL (rogue in-flight data load), which the company made public on May 14. Dutch publication Nieuwe Rotterdamsche Courant reports that Intel offered to pay the researchers a USD $40,000 "reward" to allegedly get them to downplay the severity of the vulnerability, and backed their offer with an additional $80,000. The team politely refused both offers.

Intel's security vulnerability bounty program is shrouded in CYA agreements designed to minimize Intel's losses from the discovery of a new vulnerability. Under its terms, once a discoverer accepts the bounty reward, they enter into a NDA (non-disclosure agreement) with Intel, to not disclose their findings or communicate in the regard with any other person or entity than with certain authorized people at Intel. With public knowledge withheld, Intel can work on mitigation and patches against the vulnerability. Intel argues that information of vulnerabilities becoming public before it's had a chance to address them would give the bad guys time to design and spread malware that exploits the vulnerability. This is an argument the people at VU weren't willing to buy, and thus Intel is forced to disclose RIDL even as microcode updates, software updates, and patched hardware are only beginning to come out.



Update: (17/05): An Intel spokesperson commented on this story.

Intel contacted us with a statement on this story pertaining to the terms of its bug bounty program:
"We [Intel] believe that working with skilled security researchers across the globe is a crucial part of identifying and mitigating security vulnerabilities. One of the ways we engage with researchers is through our bug bounty program. We provide a clear overview of our bug bounty program requirements, eligibility and award schedule on our website."

View at TechPowerUp Main Site
 
Joined
Feb 17, 2017
Messages
854 (0.30/day)
Location
Italy
Processor i7 2600K
Motherboard Asus P8Z68-V PRO/Gen 3
Cooling ZeroTherm FZ120
Memory G.Skill Ripjaws 4x4GB DDR3
Video Card(s) MSI GTX 1060 6G Gaming X
Storage Samsung 830 Pro 256GB + WD Caviar Blue 1TB
Display(s) Samsung PX2370 + Acer AL1717
Case Antec 1200 v1
Audio Device(s) aune x1s
Power Supply Enermax Modu87+ 800W
Mouse Logitech G403
Keyboard Qpad MK80
I don't believe it for a second.
 
Joined
Feb 11, 2009
Messages
5,572 (0.96/day)
System Name Cyberline
Processor Intel Core i7 2600k -> 12600k
Motherboard Asus P8P67 LE Rev 3.0 -> Gigabyte Z690 Auros Elite DDR4
Cooling Tuniq Tower 120 -> Custom Watercoolingloop
Memory Corsair (4x2) 8gb 1600mhz -> Crucial (8x2) 16gb 3600mhz
Video Card(s) AMD RX480 -> RX7800XT
Storage Samsung 750 Evo 250gb SSD + WD 1tb x 2 + WD 2tb -> 2tb MVMe SSD
Display(s) Philips 32inch LPF5605H (television) -> Dell S3220DGF
Case antec 600 -> Thermaltake Tenor HTCP case
Audio Device(s) Focusrite 2i4 (USB)
Power Supply Seasonic 620watt 80+ Platinum
Mouse Elecom EX-G
Keyboard Rapoo V700
Software Windows 10 Pro 64bit
I don't believe it for a second.

I believe it, it kinda sorta happens all the time sooo yeah.
Hackers inform a company of a weak spot, they get paid for their find and they give the company a deadline to fix it or else they reveal the information.

This is really no different so whats your problem?
 
Joined
Mar 20, 2019
Messages
427 (0.20/day)
Location
Australia
System Name Ryzen
Processor AMD Ryzen 7 5700X
Motherboard Asus TUF Gaming B550-Plus (Wi-Fi)
Cooling Cryorig H7
Memory Kingston Fury Beast DDR4 3200MHz 2x8GB + 2x16GB
Video Card(s) Sapphire NITRO+ Radeon RX 6700 XT GAMING OC
Storage WD_Black SN850 500GB NVMe SSD + Adata XPG SX8200 Pro 512GB NVMe SSD
Display(s) Gigabyte G27QC
Case NZXT H510 Flow
Audio Device(s) SteelSeries Arctis Prime
Power Supply Corsair RM650x Gold 650W
Mouse Logitech G502 X
Keyboard HyperX Alloy FPS Cherry MX Blue
Software Windows 11 Pro
Oh that's not good PR. Ouch Intel.
 
Joined
Apr 30, 2012
Messages
3,881 (0.84/day)
It was discovered in September and they notified Intel. Intel even paid the bounty. There usually is a 90 day period before the info goes public. We are well passed double the time and Intel wanted another 6 months.
 
Joined
Oct 2, 2015
Messages
3,152 (0.93/day)
Location
Argentina
System Name Ciel / Akane
Processor AMD Ryzen R5 5600X / Intel Core i3 12100F
Motherboard Asus Tuf Gaming B550 Plus / Biostar H610MHP
Cooling ID-Cooling 224-XT Basic / Stock
Memory 2x 16GB Kingston Fury 3600MHz / 2x 8GB Patriot 3200MHz
Video Card(s) Gainward Ghost RTX 3060 Ti / Dell GTX 1660 SUPER
Storage NVMe Kingston KC3000 2TB + NVMe Toshiba KBG40ZNT256G + HDD WD 4TB / NVMe WD Blue SN550 512GB
Display(s) AOC Q27G3XMN / Samsung S22F350
Case Cougar MX410 Mesh-G / Generic
Audio Device(s) Kingston HyperX Cloud Stinger Core 7.1 Wireless PC
Power Supply Aerocool KCAS-500W / Gigabyte P450B
Mouse EVGA X15 / Logitech G203
Keyboard VSG Alnilam / Dell
Software Windows 11
Man, Intel needs a new PR department.
 
Joined
Apr 12, 2013
Messages
7,563 (1.77/day)
Man, Intel needs a new PR department.
No, they need a new security head. Clearly this guy isn't "working" so well :ohwell:
See the source image


They should also hire a new lawyer :mad:

See the source image
 
Joined
Nov 3, 2013
Messages
2,141 (0.53/day)
Location
Serbia
Processor Ryzen 5600
Motherboard X570 I Aorus Pro
Cooling Deepcool AG400
Memory HyperX Fury 2 x 8GB 3200 CL16
Video Card(s) RX 6700 10GB SWFT 309
Storage SX8200 Pro 512 / NV2 512
Display(s) 24G2U
Case NR200P
Power Supply Ion SFX 650
Mouse G703 (TTC Gold 60M)
Keyboard Keychron V1 (Akko Matcha Green) / Apex m500 (Gateron milky yellow)
Software W10
I believe it, it kinda sorta happens all the time sooo yeah.
Hackers inform a company of a weak spot, they get paid for their find and they give the company a deadline to fix it or else they reveal the information.

This is really no different so whats your problem?
He's a known hardcore Intel fanboy, of course he's gonna defend them tooth and nail. You're preaching to the wrong choir.
Man, Intel needs a new PR department.
Intel needs some serious restructuring from the ground up. IMO PR is least of their concern at the moment.
 
Joined
Dec 10, 2017
Messages
266 (0.10/day)
Processor Intel core i5 4590s
Motherboard Asus Z97 Pro Gamer
Cooling Evercool EC115A 915SP Cpu cooler,Coolermaster [200mm (front and top)+140mm rear]
Memory Corsair 16GB(4x4) ddr3 CMZ16GX3M4X1600C9(Ver8.16)(XMP)
Video Card(s) MSI GTX 970 GAMING 4G
Storage Western Digital WDC WD2001FAS 2TB Black, Toshiba DT01ACA100 1TB
Display(s) LG Flatron L177WSB
Case Coolermaster CM Storm Enforcer
Audio Device(s) Creative A550 Speakers 5.1 channel
Power Supply SuperFlower Leadex 2 Gold 650W SF-650F14EG
Mouse PLNK M-740 Optical Mouse
Keyboard ibuypower GKB100 Gaming Keyboard
Software Windows 7 Sp1 64 bit
Joined
Mar 31, 2012
Messages
862 (0.19/day)
Location
NL
System Name SIGSEGV
Processor AMD Ryzen 9 9950X
Motherboard MSI MEG ACE X670E
Cooling Noctua NF-A14 IndustrialPPC Fan 3000RPM | Arctic P14 MAX
Memory Fury Beast 64 Gb CL30
Video Card(s) TUF 4090 OC
Storage 1TB 7200/256 SSD PCIE | ~ TB | 970 Evo | WD Black SN850X 2TB
Display(s) 27" /34"
Case O11 EVO XL
Audio Device(s) Realtek
Power Supply FSP Hydro TI 1000
Mouse g402
Keyboard Leopold|Ducky
Software LinuxMint
Benchmark Scores i dont care about scores

Space Lynx

Astronaut
Joined
Oct 17, 2014
Messages
17,427 (4.68/day)
Location
Kepler-186f
Processor 7800X3D -25 all core
Motherboard B650 Steel Legend
Cooling Frost Commander 140
Video Card(s) Merc 310 7900 XT @3100 core -.75v
Display(s) Agon 27" QD-OLED Glossy 240hz 1440p
Case NZXT H710 (Red/Black)
Audio Device(s) Asgard 2, Modi 3, HD58X
Power Supply Corsair RM850x Gold
Intel needs an entire new re-structuring, and I think they are getting that now with the new CEO, sadly the new CEO doesn't care about consumer, he only cares about big data centers moving forward because that is where the money is. Luckily, AMD EPYC Rome 7nm is going to smoke Intel in that area too, so Intel will be forced to diversify and improve very fast to appease the stock holders. Free markets work as long as there is competition, AMD is bae.
 
Joined
Mar 26, 2019
Messages
40 (0.02/day)
System Name NEO
Processor i9-7940X All cores @ 4.8GHZ
Motherboard Asus Rampage VI Extreme
Cooling MO-RA 420 Pro Radiator Stainless Steel, EK X-TOP Revo Dual D5,EK Velocity, Phanteks 1080Ti GPU Block
Memory 64GB Trident Z RGB 3600 Quad Kit
Video Card(s) Asus Strix 1080Ti OC
Storage Samsung 960Pro, WD Gold 10TB, 2X WD Red 4TB
Display(s) Benq SW320 32" 4k, Samsung 24" Full HD
Case Coolermaster Cosmos 2 (Mod)
Power Supply Corsair AX1500i
Mouse Logitech MX Master 2s, Logitech G502 Hero
Keyboard Logitech
Software Windows 10 Pro
Dang cheap ass amateurs! $40,000 or $80,000? This is what you get for your cheapness......FAIL!

These things require "brute force"......Next time Intel throw a million on their face in one go and wipe the floor. But $40k? Come one I would also tell you to shove it off!
 
Joined
Dec 10, 2015
Messages
545 (0.17/day)
Location
Here
System Name Skypas
Processor Intel Core i7-6700
Motherboard Asus H170 Pro Gaming
Cooling Cooler Master Hyper 212X Turbo
Memory Corsair Vengeance LPX 16GB
Video Card(s) MSI GTX 1060 Gaming X 6GB
Storage Corsair Neutron GTX 120GB + WD Blue 1TB
Display(s) LG 22EA63V
Case Corsair Carbide 400Q
Power Supply Seasonic SS-460FL2 w/ Deepcool XFan 120
Mouse Logitech B100
Keyboard Corsair Vengeance K70
Software Windows 10 Pro (to be replaced by 2025)
Joined
Apr 1, 2017
Messages
420 (0.15/day)
System Name The Cum Blaster
Processor R9 5900x
Motherboard Gigabyte X470 Aorus Gaming 7 Wifi
Cooling Alphacool Eisbaer LT360
Memory 4x8GB Crucial Ballistix @ 3800C16
Video Card(s) 7900 XTX Nitro+
Storage Lots
Display(s) 4k60hz, 4k144hz
Case Obsidian 750D Airflow Edition
Power Supply EVGA SuperNOVA G3 750W
classic intel
and to think they've been doing this for almost two decades now and people still buy their CPUs... jesus christ
 
Joined
Jul 28, 2007
Messages
94 (0.01/day)
Location
Portugal
Processor AMD Ryzen 5 3600
Motherboard MSi MPG X570 Gaming Plus
Cooling Noctua NH-D14
Memory G.Skill DDR4-3600 Trident Z CL 16
Video Card(s) MSi GTX 1080 Gaming X 8GB
Storage Crucial P1 500GB M.2 NVMe
Display(s) Acer Predator XB1 IPS 165Hz G-Sync
Case Lian-Li PC-A10B
Audio Device(s) Creative X-Fi Titanium Fatal1ty Pro Series
Power Supply Seasonic Focus+ Gold 750W
Mouse Zowie EC1-A
Keyboard G.Skill KM780 MX (MX brown)
I'm not part of Intel's bandwagon, but this article seems really confusing and kind of misleading... the title says Intel wanted to pay them to "suppress knowledge of MDS vulnerability", but then the article itself says instead they wanted them "to downplay the severity of the vulnerability". The first part implies the Dutch to don't say a thing (possibly until they fix the problem), the second part implies the information would be public but the severity and details to be "softened".
So after reading this, one may ask... "well, which one was it?" and why is the "bribe" word being used when there's a public bounty program in place by Intel to reward people that discover these kind of issues with their products?

Going to the source/reddit article to find some extra details doesn't exactly make things 100% clear, but it seems to me that it went like this:
- among several researcher groups taking a look at said vulnerabilities, the Dutch Uni was the one that found the major part of it
- Intel paid the Dutch Uni research group around $100,000 (89,000 euros) as part of their public bounty program (explained on their own press release also linked in this TPU article). They would reveal Intel the details and not publicly, so that Intel could investigate and work a security fix. (so nothing really shady here (as in bribe), seems normal procedure in these cases)
- the group said they would give Intel until May, then they would release the infos/leaks themselves
- apparently Intel wanted to wait another six months so they could get more time to fix it
- the group refused
- Intel then made them an additional offer of 40k , then another 80k on top, to convince them to downplay the severity /level of vulnerability of the problem, since sh/t would hit the fan anyway (probably to make things a bit less interesting for hackers and to avoid another public PR snowball)
- the group refused this additional offer to soften the exploit severity, and then released the vulnerability infos in May as planned.

So, basically, seems things went normal according to the usual Intel bounty/reward program, until Intel wanted another 6 months of time to work on the issue. The group didn't want to wait any longer than the initial program deal they made, and in response Intel wanted to at least make things look publicly less "worrying", by asking them to publicly say the vulnerability it wasn't really that of a big deal, offering them another $40k + $80k. They refused the offer and released the research untouched.

Considering it's a security problem, one can see why Intel wanted to at least try some "damage control". Even if the group accepted the "downplay" offer, eventually with time, the real severity would come out and that would make the group and Intel look bad. Difference is, Intel can afford to look bad in that situation, specially if the reasons were based on "customer's security".
 
Last edited:

rtwjunkie

PC Gaming Enthusiast
Supporter
Joined
Jul 25, 2008
Messages
14,019 (2.34/day)
Location
Louisiana
Processor Core i9-9900k
Motherboard ASRock Z390 Phantom Gaming 6
Cooling All air: 2x140mm Fractal exhaust; 3x 140mm Cougar Intake; Enermax ETS-T50 Black CPU cooler
Memory 32GB (2x16) Mushkin Redline DDR-4 3200
Video Card(s) ASUS RTX 4070 Ti Super OC 16GB
Storage 1x 1TB MX500 (OS); 2x 6TB WD Black; 1x 2TB MX500; 1x 1TB BX500 SSD; 1x 6TB WD Blue storage (eSATA)
Display(s) Infievo 27" 165Hz @ 2560 x 1440
Case Fractal Design Define R4 Black -windowed
Audio Device(s) Soundblaster Z
Power Supply Seasonic Focus GX-1000 Gold
Mouse Coolermaster Sentinel III (large palm grip!)
Keyboard Logitech G610 Orion mechanical (Cherry Brown switches)
Software Windows 10 Pro 64-bit (Start10 & Fences 3.0 installed)
I'm not part of Intel's bandwagon, but this article seems really confusing and kind of misleading... the title says Intel wanted to pay them to "suppress knowledge of MDS vulnerability", but then the article itself says instead they wanted them "to downplay the severity of the vulnerability". The first part implies the Dutch to don't say a thing (possibly until they fix the problem), the second part implies the information would be public but the severity and details to be "softened".
So after reading this, one may ask... "well, which one was it?" and why is the "bribe" word being used when there's a public bounty program in place by Intel to reward people that discover these kind of issues with their products?

Going to the source/reddit article to find some extra details doesn't exactly make things 100% clear, but it seems to me that it went like this:
- among several researcher groups taking a look and said vulnerabilities, the Dutch Uni was the one that found the major part of it
- Intel paid the Dutch Uni research group around $100,000 (89,000 euros) as part of their public bounty program (explained on their own press release also linked in this TPU article). They would reveal Intel the details and not publicly so that Intel could investigate and work a security fix. (so nothing really shady here (as in bribe), seems normal procedure in these cases)
- the group said they would give Intel until May, then they would release the infos/leaks themselves
- apparently Intel wanted to wait another six months so they could get more time to fix it
- the group refused
- Intel then made them an additional offer of 40k , then another 80k on top, to convince them to downplay the severity /level of vulnerability of the problem, since sh/t would hit the fan anyway (probably to make things a bit less interesting for hackers and to avoid another public PR snowball)
- the group refused this additional offer to soften the exploit severity, and then released the vulnerability infos in May as planned.

So, basically, seems things went normal according to the usual Intel bounty/reward program, until Intel wanted another 6 months of time to work on the issue. The group didn't want to wait any longer than the initial program deal they made, and in response Intel wanted to at least make things look publicly less "worrying" but asking them to publicly say the vulnerability it wasn't really that of a big deal, offering them another $40k + $80k. They refused the offer and released the research untouched.

Considering it's a security problem, one can see why Intel wanted to at least try some "damage control". Even if the group accepted the "downplay" offer, eventually with time, the real severity would come out and that would make the group and Intel look bad. Difference is, Intel can afford to look bad in that situation, specially if the reasons were based on "customer's security".
Nice background work! What we have here is one of the only responders who bothered to do some source work, instead of just responding to the sensationalist headline.
 
Last edited:
Joined
Feb 23, 2019
Messages
6,106 (2.87/day)
Location
Poland
Processor Ryzen 7 5800X3D
Motherboard Gigabyte X570 Aorus Elite
Cooling Thermalright Phantom Spirit 120 SE
Memory 2x16 GB Crucial Ballistix 3600 CL16 Rev E @ 3600 CL14
Video Card(s) RTX3080 Ti FE
Storage SX8200 Pro 1 TB, Plextor M6Pro 256 GB, WD Blue 2TB
Display(s) LG 34GN850P-B
Case SilverStone Primera PM01 RGB
Audio Device(s) SoundBlaster G6 | Fidelio X2 | Sennheiser 6XX
Power Supply SeaSonic Focus Plus Gold 750W
Mouse Endgame Gear XM1R
Keyboard Wooting Two HE
I'd have absolutly loved to have a room like this (at his age, not now, hahahah) (Taken from the news source NRC)
Best part about, his Uni probably paid for most of it :D Dream deal.
 
Joined
Jun 19, 2010
Messages
409 (0.08/day)
Location
Germany
Processor Ryzen 5600X
Motherboard MSI A520
Cooling Thermalright ARO-M14 orange
Memory 2x 8GB 3200
Video Card(s) RTX 3050 (ROG Strix Bios)
Storage SATA SSD
Display(s) UltraHD TV
Case Sharkoon AM5 Window red
Audio Device(s) Headset
Power Supply beQuiet 400W
Mouse Mountain Makalu 67
Keyboard MS Sidewinder X4
Software Windows, Vivaldi, Thunderbird, LibreOffice, Games, etc.
Vrije Universiteit Amsterdam (Free University Amsterdam) whouldn´t be free if under NDA.

So Intel whould have to buy the whole and not make a joke of its self.
 
Joined
Sep 23, 2008
Messages
312 (0.05/day)
Location
Richmond, VA
Processor i7-14700k
Motherboard MSI Z790 Carbon Wifi
Cooling DeepCool LS720
Memory 32gb GSkill DDR5-6400 CL32 Trident Z5
Video Card(s) Intel ARC A770 LE
Storage 990 Pro 1tb, 980 Pro 512gb, WD black 4tb
Display(s) 3 x HP EliteDisplay E273
Case Corsair 5000D Airflow
Power Supply Corsair RM850x
Mouse Logitec MK520
Keyboard Logitec MK520
Software Win 11 Pro 64bit
Benchmark Scores Cinebench R23 Multi 35805
queue Intel fanboy damage control
 
Joined
Apr 10, 2013
Messages
302 (0.07/day)
Location
Michigan, USA
Processor AMD 1700X
Motherboard Crosshair VI Hero
Memory F4-3200C14D-16GFX
Video Card(s) GTX 1070
Storage 960 Pro
Display(s) PG279Q
Case HAF X
Power Supply Silencer MK III 850
Mouse Logitech G700s
Keyboard Logitech G105
Software Windows 10
Wouldn't we want Intel and AMD paying rewards for these discoveries and suppressing the discovery until a patch is issued? Why do these groups want to discover vulnerabilities and immediately expose everyone? I would think these groups would be on the side of consumers but it seems they are on the side of attackers if they intend to release info and expose everyone before fixes are available.

I am a not a fanboy of anyone, currently running AMD in my desktop and Intel in a notebook. Common sense isn't a fanboy.
 
Joined
May 8, 2018
Messages
1,571 (0.65/day)
Location
London, UK
40k or 80k is nothing to them, now if it was around 5 million then it might have achieved success.
 

iO

Joined
Jul 18, 2012
Messages
531 (0.12/day)
Location
Germany
Processor R7 5700x
Motherboard MSI B450i Gaming
Cooling Accelero Mono CPU Edition
Memory 16 GB VLP
Video Card(s) RX 7900 GRE Dual
Storage P34A80 512GB
Display(s) LG 27UM67 UHD
Case none
Power Supply Fractal Ion 650 SFX
Wouldn't we want Intel and AMD paying rewards for these discoveries and suppressing the discovery until a patch is issued? Why do these groups want to discover vulnerabilities and immediately expose everyone? I would think these groups would be on the side of consumers but it seems they are on the side of attackers if they intend to release info and expose everyone before fixes are available.

I am a not a fanboy of anyone, currently running AMD in my desktop and Intel in a notebook. Common sense isn't a fanboy.
The standard 90 days deadline forces them to react and work on fixes instead of dragging their feet and hoping people will just buy their (probably also vulnerable) 10k series in a few months.
 
Status
Not open for further replies.
Top