Intel offered “reward” to Dutch researchers to downplay MDS vulnerability (opens in new tab)

(techpowerup.com)

77 pointsMrCzar6y ago18 comments

18 comments

Is this a bribe? A bug bounty is a standard program for lots of companies, we don't consider the bounty a bribe. I mean, you could bribe someone in this way but there needs to be some nefarious intent going on - just giving them money to delay announcement until you've fixed the bug seems like a fairly pure motive to me.

nullwasamistake6y ago

They offered them a lower bug bounty reward with a big "gift" on the side. This would mean Intel gets to report the bug as lower severity. And presumably the extra "gift" money, which raises the total paid above the max bounty they normally offer by $20,000, had some strings attached.

I've already read articles that some of the vulnerabilities were found more than a year ago. And as others reported similar exploits, they grouped them all together into 2 "teams" and made the PR release all at once. The only reason we're hearing anything now, is that I heard the team who found the first bug threatened to leak since it had been a whole year. The first bug was discovered a year and three days ago. If they didn't threaten to leak, god knows how long Intel would have spent collecting bugs.

This CPU "bug" is actually 4 different CVE's, some quite different from the others, and presumably discovered at various times over the past year.

Just scummy as hell by Intel. They #1 forced a bunch of different researchers who found different bugs to split the bounty, #2 aggregated the bugs rolling in for more than a year to minimize impact. That's on top of the attempted bribery and rumors that the microcode + patches do not fully mitigate leaks between hyper threads.

And for the argument that they didn't have enough time at one year... They had enough time to fix and release new silicon! Intel states that chips made in the last month are fixed at a hardware level. It's orders of magnitude harder to ship silicon than software, so my assumption is that the fixes for existing chips have been ready for a while. They've just been sitting, waiting

dfrage6y ago

> #2 aggregated the bugs rolling in for more than a year to minimize impact.

When the impact is new microcode for every out-of-order CPU going back to Sandy Bridge that's not on its face entirely unreasonable. The date for the new microcode for my Ivy Bridge workstation I'm typing this on is 2019-02-13; if testing followed that.... Could even be they wanted to further delay release until they could do more testing.

> They had enough time to fix and release new silicon!

And properly test it?

krageon6y ago

You question whether or not this is a bribe, but then you get to this:

> giving them money to delay announcement until you've fixed the bug

And this is why it is a bribe. Sure, maybe you feel this isn't ethically problematic in which case you could just take it.

londons_explore6y ago

I think it depends on if the agreement is to delay the announcement, or hide the announcement forever.

If I were a researcher, I'd be happy to delay for 6 months for a reward, but I would consider it morally bad to delay forever for a reward.

3 more replies

tinus_hn6y ago

Why would companies pay a bug bounty and then expect nothing in return?

mannykannot6y ago

You have, indeed, discovered the reason why companies pay bribes.

In the case of bug bounties, one self-interested reason for them is to provide an alternative to the black market in vulnerabilities.

h2odragon6y ago

Tomorrow's story: "Intel execs discovered wiping their ass with retail CPUs before packaging. Company defends measure as 'giving things a personal touch'. Stock prices rise."

j / k navigate · click thread line to collapse