> On Jan 13, 2018, at 1:08 PM, Murray McCullough via cctalk 
> <cctalk@classiccmp.org> wrote:
> 
> I wrote about Spectre and Meltdown recently: INTEL took its time to inform
> the world! 

Of course, and for good reason.  The current practice has been carefully 
crafted by the consensus of security vulnerability workers.  That is: when a 
vulnerability is discovered, the responsible party is notified confidentially 
and given a reasonable amount of time to produce a fix before the issue is 
announced publicly.  There's a big incentive for that response to happen and 
typically it does.  If the issue is ignored, the announcement happens anyway 
along with public shaming of the part who didn't bother to respond.

With this approach, a fix can often be released concurrently with the 
disclosure of the issue, which dramatically reduces the oppportunity for 
criminals to take advantage of the problem.  This isn't a case of being nice to 
Intel; it's an attempt to benefit Intel's customers.

If you read the Meltdown and Spectre papers (by the researchers who discovered 
the problem, not the news rags reporting on it) you'll see this policy 
mentioned in passing.  

        paul

Reply via email to