Intel didn’t warn US-CERT of Meltdown and Spectre until hacks were public

Letters to lawmakers say Intel took six months to tell the US government about the exploits

Some of the world's biggest tech firms have written to lawmakers to complain that Intel didn't warn US cyber security officials about the Meltdown and Spectre chip security bugs until they went public.

In the letters, the companies, which include tech giants Alphabet, Apple and ARM, said Intel didn't make the issue known to the United States Computer Emergency Readiness Team (US-CERT), until they leaked to the masses at the turn of the year.

The letters, sent on Thursday in response to questions from Republican senator Greg Walden, who chairs the House Energy and Commerce Committee, claimed Intel took a full six months to notify the government's digital security body after Google's security researchers notified it in June.

That notification started the 90-day notice period for the chip giant to fix the issues before telling the world. But, Intel didn't inform US-CERT until 3 January, quite some time after the Meltdown and Spectre bugs had begun to spread. This has led to current and former US government officials raising concerns because the flaws potentially held national security implications.

However, Intel has said that it didn't believe the flaws needed to be shared with US authorities as hackers had not exploited the vulnerabilities.

"Intel and other industry participants were following the guidelines supported by US-CERT's Coordinated Vulnerability Disclosure (CVD)," an Intel spokeswoman said in an emailed statement.

In Intel's letter, the firm stated: "The collaboration between Intel and others in the technology industry regarding the disclosure and mitigation of these vulnerabilities was done in accordance with widely accepted principles commonly referred to as responsible disclosure'."

Intel said this "responsible disclosure" is based on two foundational concepts: First, it said it's about when companies become aware of security vulnerabilities, they work as quickly, collaboratively, and effectively as possible to mitigate those vulnerabilities.

Secondly, it said it's about companies taking steps to minimise the risk that exploitable information becomes available before mitigations are released through leaks or otherwise to those who would use it for malicious purposes.

"While one can debate the details of how best to execute responsible disclosure in specific incidents, Intel agrees with the prevailing industry view that in general responsible disclosure is the best practice because it maximises information security while minimising risk to end-user,", the chipmaker explained.

"Security vulnerabilities vary in their complexity and seriousness, and under responsible disclosure, Intel and other technology companies have identified and fixed many security vulnerabilities over the years."

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Kaspersky exposes MysterySnail zero-day exploit in Windows
zero-day exploit

Kaspersky exposes MysterySnail zero-day exploit in Windows

13 Oct 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Jack Dorsey resigns as Twitter CEO
business management

Jack Dorsey resigns as Twitter CEO

29 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021