Standard practice of vulnerability disclosure
CTS Labs disclosed to Advanced Micro Devices (AMD) vulnerabilities in its chipsets that would only occur if the attacker had administrative access to the system. AMD acknowledged these vulnerabilities and, as a standard response, started working on a fix.
However, CTS Labs gave AMD only 24 hours before it disclosed these vulnerabilities to the public. Such action is against the standard practice of vulnerability disclosure and raises eyebrows as to the intentions of CTS Labs.
In the standard vulnerability disclosure process, the finder identifies the vulnerability and informs the affected vendor. The vendor then investigates the issue and presents its findings. The affected vendor works with the finder to adopt appropriate fixes, and then the finder and the vendor both disclose the flaw and the corrective measures that have been taken to the public.
Amsterdam-based Vrije University researcher Ben Gras stated that by keeping things confidential, both parties reduce the impact of the discovered vulnerability while maintaining transparency. Even Google (GOOG) researchers followed the process when they discovered flaws in Intel’s (INTC) chip design in June 2017. The chip flaws were disclosed only after fixes were almost in place.
However, in this recent case, CTS Labs disclosed the flaw in just 24 hours, stating that it estimated AMD would require “many months” to fix the issue. However, AMD stated that it would have the fixes in place within a few weeks. Many researchers doubted the intentions of CTS Labs.
Was there a hidden motive behind CTS Labs’ disclosure?
A Bloomberg article stated that Gras believes CTS Labs is not “acting in good faith.” Linux creator Linus Torvalds believes that CTS Labs’ actions make it look like their intention was to manipulate stocks instead of to advise on security issues. The basis of his comments was the unusual trading activity reported on AMD stock when CTS Labs publically disclosed its report.
However, other security experts stated that irrespective of exaggeration or hidden intent, the fact can’t be denied that the flaws are real and were accurately stated in CTS Labs’ report.
AMD stock reacted to the negative news but did not react quickly to any positive news. In the next article, we’ll find out why.