Sunday, February 25, 2018

Vulnerability disclosure – did we get it right with Meltdown and Spectre?

Today Rendition Infosec is releasing a blog post that we started writing more than a month ago. Why now? The dust has settled, that’s why. Prior to the dust settling on Meltdown and Spectre, we think this very important conversation would have been lost in the noise. In light of these vulnerabilities, we think it is important to talk about how their disclosure was handled. What did we get right, what did we get wrong, and how should we in the security community posture for the disclosure of next round of CPU vulnerabilities (there will be more).

As most know, Intel found out about the CPU vulnerabilities as early as June of 2017. The mainstream public did not find out about these until January 2018, and then only because AMD engineers made careless comments in open forums that allowed independent researchers to reverse engineer the vulnerabilities. Normally, Google releases vulnerabilities to the public in 90 days, with exceptions given only in rare circumstances.  In this case, they waited because of the seriousness of the vulnerabilities and the amount of work needed to patch them.

Read the full post on the Rendition Infosec corporate blog.