> On Jan 13, 2018, at 1:08 PM, Murray McCullough via cctalk
> <cctalk@classiccmp.org> wrote:
>
> I wrote about Spectre and Meltdown recently: INTEL took its time to inform
> the world!
Of course, and for good reason. The current practice has been carefully
crafted by the consensus of security vulnerability workers. That is: when a
vulnerability is discovered, the responsible party is notified confidentially
and given a reasonable amount of time to produce a fix before the issue is
announced publicly. There's a big incentive for that response to happen and
typically it does. If the issue is ignored, the announcement happens anyway
along with public shaming of the part who didn't bother to respond.
With this approach, a fix can often be released concurrently with the
disclosure of the issue, which dramatically reduces the oppportunity for
criminals to take advantage of the problem. This isn't a case of being nice to
Intel; it's an attempt to benefit Intel's customers.
If you read the Meltdown and Spectre papers (by the researchers who discovered
the problem, not the news rags reporting on it) you'll see this policy
mentioned in passing.
paul
