IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Intel didn’t warn US-CERT of Meltdown and Spectre until hacks were public

Letters to lawmakers say Intel took six months to tell the US government about the exploits

Some of the world's biggest tech firms have written to lawmakers to complain that Intel didn't warn US cyber security officials about the Meltdown and Spectre chip security bugs until they went public.

In the letters, the companies, which include tech giants Alphabet, Apple and ARM, said Intel didn't make the issue known to the United States Computer Emergency Readiness Team (US-CERT), until they leaked to the masses at the turn of the year.

The letters, sent on Thursday in response to questions from Republican senator Greg Walden, who chairs the House Energy and Commerce Committee, claimed Intel took a full six months to notify the government's digital security body after Google's security researchers notified it in June.

That notification started the 90-day notice period for the chip giant to fix the issues before telling the world. But, Intel didn't inform US-CERT until 3 January, quite some time after the Meltdown and Spectre bugs had begun to spread. This has led to current and former US government officials raising concerns because the flaws potentially held national security implications.

However, Intel has said that it didn't believe the flaws needed to be shared with US authorities as hackers had not exploited the vulnerabilities.

"Intel and other industry participants were following the guidelines supported by US-CERT's Coordinated Vulnerability Disclosure (CVD)," an Intel spokeswoman said in an emailed statement.

In Intel's letter, the firm stated: "The collaboration between Intel and others in the technology industry regarding the disclosure and mitigation of these vulnerabilities was done in accordance with widely accepted principles commonly referred to as responsible disclosure'."

Intel said this "responsible disclosure" is based on two foundational concepts: First, it said it's about when companies become aware of security vulnerabilities, they work as quickly, collaboratively, and effectively as possible to mitigate those vulnerabilities.

Secondly, it said it's about companies taking steps to minimise the risk that exploitable information becomes available before mitigations are released through leaks or otherwise to those who would use it for malicious purposes.

"While one can debate the details of how best to execute responsible disclosure in specific incidents, Intel agrees with the prevailing industry view that in general responsible disclosure is the best practice because it maximises information security while minimising risk to end-user,", the chipmaker explained.

"Security vulnerabilities vary in their complexity and seriousness, and under responsible disclosure, Intel and other technology companies have identified and fixed many security vulnerabilities over the years."

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Kaspersky exposes MysterySnail zero-day exploit in Windows
zero-day exploit

Kaspersky exposes MysterySnail zero-day exploit in Windows

13 Oct 2021

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022