Is this a bribe? A bug bounty is a standard program for lots of companies, we don't consider the bounty a bribe. I mean, you could bribe someone in this way but there needs to be some nefarious intent going on - just giving them money to delay announcement until you've fixed the bug seems like a fairly pure motive to me.
They offered them a lower bug bounty reward with a big "gift" on the side. This would mean Intel gets to report the bug as lower severity. And presumably the extra "gift" money, which raises the total paid above the max bounty they normally offer by $20,000, had some strings attached.
I've already read articles that some of the vulnerabilities were found more than a year ago. And as others reported similar exploits, they grouped them all together into 2 "teams" and made the PR release all at once. The only reason we're hearing anything now, is that I heard the team who found the first bug threatened to leak since it had been a whole year. The first bug was discovered a year and three days ago. If they didn't threaten to leak, god knows how long Intel would have spent collecting bugs.
This CPU "bug" is actually 4 different CVE's, some quite different from the others, and presumably discovered at various times over the past year.
Just scummy as hell by Intel. They #1 forced a bunch of different researchers who found different bugs to split the bounty, #2 aggregated the bugs rolling in for more than a year to minimize impact. That's on top of the attempted bribery and rumors that the microcode + patches do not fully mitigate leaks between hyper threads.
And for the argument that they didn't have enough time at one year... They had enough time to fix and release new silicon! Intel states that chips made in the last month are fixed at a hardware level. It's orders of magnitude harder to ship silicon than software, so my assumption is that the fixes for existing chips have been ready for a while. They've just been sitting, waiting
> #2 aggregated the bugs rolling in for more than a year to minimize impact.
When the impact is new microcode for every out-of-order CPU going back to Sandy Bridge that's not on its face entirely unreasonable. The date for the new microcode for my Ivy Bridge workstation I'm typing this on is 2019-02-13; if testing followed that.... Could even be they wanted to further delay release until they could do more testing.
> They had enough time to fix and release new silicon!
If I were a researcher, I'd be happy to delay for 6 months for a reward
Really? What if a nation state actor has discovered the same bug. Do you want to keep the world vulnerable for a 6 month window?
Also, most European university researchers are funded through taxpayer money. They should do what is best for the general population, not what is best of some company's stock value.
> Do you want to keep the world vulnerable for a 6 month window?
There exist far more bugs than discovered bugs. By revealing it, I put some people at risk (those who fail to update), and by hiding it I put more people at less risk (everyone, but only if someone else discovers the bug).
It's a tradeoff, but 6 months is a good window for most people to update, while there still not being too much chance of the bug being independently discovered.
The only European country where I'm somewhat familiar with research funding is Sweden and at least there direct corporate funding is a tiny sliver of the overall university research budget. And even when companies do fund research projects much of the funding is things like letting their researchers work 'for free' on the project or giving free access to data, equipment and licenses rather than cash
I only really know two northwestern (European) countries and they are both not Sweden. Corporate funding there is "strings attached" money, both for direction and scope of the research (and in at least one case a final say on whether or not research gets published). Corporate funding is also somewhat expected, as working from just government money is a huge outlier (it is not enough).
It's interesting to see that policies differ so much even inside of the relatively wealthy parts of Europe :)
To clarify slightly. Corporate 'co-funding' and cooperation is not uncommon in projects (and is in fact a requirement for funding in many cases), but the amount of actual cash this adds up to is a tiny percentage of the overall national university research budgets.
It became morally bad to delay any longer once it was obvious that multiple teams were finding the same bugs. There's a crap ton of people listed as discoverers in the CVE's.
Who knows how many other actors discovered the same bugs and didn't say anything? Likely multiple, honestly.
We've finally run into a real life proof of why bug embargoes are bad. This is the first time I know of that multiple people independently discovering the same thing before the embargo period was over.
Saying something is "morally bad" doesn't really make sense unless you also define the moral framework that it is bad in. As you did not do so, it reads as if you expect the reader to understand what morality it is bad in (maybe even that it is obvious).
This money was also meant for downplaying the severity of the vulnerability, allowing intel to spin the discovery and lose less face. This is a politically charged bribe, their bug bounty program has been constructed to lend credibility to it.
Tomorrow's story: "Intel execs discovered wiping their ass with retail CPUs before packaging. Company defends measure as 'giving things a personal touch'. Stock prices rise."
