Intel’s safety vulnerability bounty program is shrouded in CYA agreements designed to reduce Intel’s losses from the invention of a brand new vulnerability. Under its phrases, as soon as a discoverer accepts the bounty reward, they enter right into a NDA (non-disclosure settlement) with Intel, to not disclose their findings or talk within the regard with another individual or entity than with sure approved individuals at Intel. With public data withheld, Intel can work on mitigation and patches in opposition to the vulnerability. Intel argues that data of vulnerabilities changing into public earlier than it is had an opportunity to deal with them would give the dangerous guys time to design and unfold malware that exploits the vulnerability. This is an argument the individuals at VU weren’t prepared to purchase, and thus Intel is pressured to reveal RIDL at the same time as microcode updates, software program updates, and patched {hardware} are solely starting to come back out.
Update: (17/05): An Intel spokesperson commented on this story.
Intel contacted us with an announcement on this story pertaining to the phrases of its bug bounty program:
“We [Intel] believe that working with skilled security researchers across the globe is a crucial part of identifying and mitigating security vulnerabilities. One of the ways we engage with researchers is through our bug bounty program. We provide a clear overview of our bug bounty program requirements, eligibility and award schedule on our website.”