At the end of last month, there was reporting that Intel had informed a number of companies, including Chinese companies about the Meltdown and Spectre securities flaws, but did not inform the US Government's Computer Emergency Response Team (CERT). It is CERT that issues warnings for cyber security issues. Oregon Representative Greg Walden reached out to a number of companies about when information on the vulnerabilities were disclosed, and Reuters got a look at the responding letters, including the one Intel sent with its explanation.
According to the letter, the reason Intel did not inform CERT is that there was "no indication that any of these vulnerabilities had been exploited by malicious actors." The letter also states that the company did not perform an analysis to determine if the flaws could harm critical infrastructure, because it believed industrial control systems would not be affected. Intel did inform a number of other companies prior to the flaws' public disclosure, giving them time to ready responses to the issues.
Intel was not the only company to return letters to the Representative's questions. Microsoft stated it informed antivirus software makers of the flaws weeks before the public disclosure, to avoid compatibility issues, while AMD said Alphabet, the parent company of Google, extended the usual 90 disclosure deadline twice; first to January 3 and then to January 9. (Ironically, it was January 3 when The Register first reported on and publicly exposed the issues.) Alphabet also stated it left informing government officials about the security flaws up to the effected chipmakers, which is its standard practice.
Back to original news post