Why did not Intel tell CERTS and US gov about CPU flaws?

CPU flaws

According to the theregister news on February 23, Intel and six other companies (Amazon, AMD, Apple, ARM, Google, Microsoft) sent a letter to the US Congress reveal why they do not disclose their chip design flaws to the rest of the world. According to previous reports, these chips are widely affected by the meltdown and Specter flaws.

Republican members of the U.S. House Energy and Commerce Committee wrote to the seven companies in January to find out why they did not disclose the flaws and whether they think they are safe and responsible. In addition, due to these chip design flaws so seriously that the United States Congressman insisted that these seven companies give a reasonable explanation.

CPU flaws

For now, the letter from Intel appears to be the most informative, as it reveals that prior to the disclosure of the vulnerability, Intel only disclosed information about Specter and Meltdown to companies that could help it improve the security of its technology users and discovered vulnerabilities. Project Zero has also extended its 90-day vulnerability deadline to January 2018 to assist in bug fixes. Once the loopholes are heard, Intel will speed up the deployment of mitigation plans and promptly notify all governments. Intel said it developed this contingency plan after considering CERT’s Guidelines for Disclosure of Coordinated Vulnerabilities, Common Vulnerabilities and Exposures (CVE) Numbering Rights Rules, and Common Vulnerability Scoring System Forum for Incident Response Security Teams. However, due to the  Register and other blogs ahead of the exposure of Intel’s original plan was disrupted.

In addition, the letter also shows: “Later this year, Intel will introduce new hardware design changes in our products to address vulnerabilities such as Spectre and Meltdown.”

However, most of the letters from other companies point to the fact that Specter and Meltdown are Intel’s problems.

 

Source: TheRegister