On 03/14/2018 11:40 AM, jim bell wrote:
Security researchers find flaws in AMD chips but raise eyebrows with rushed disclosure
[... ]
Why the extremely non-technical video shot on green screen with stock backgrounds composited in? Why the scare tactics of calling out AMD's use in the military? Why don't the bugs have CVE numbers, the standard tracking method for nearly all serious issues? Why was AMD given so little time to respond? Why not, if as the FAQ suggests, some fixes could be created in a matter of months, at least delay the publication until they were available? And what's with the disclosure that CTS "may have, either directly or indirectly, an economic interest in the performance" of AMD? That's not a common disclosure in situations like this.
* This article originally appeared on TechCrunch.
Why? Well, why not? I will guess that the folks at CTS Labs shorted AMD and made other "side bets" to cash in on the impact of the disclosure. They may have also quietly negotiated some direct compensation from AMD's competitors. Why else skip the traditional advance warning to the vendor, and spend money directly attacking AMD's reputation in the market? I for one approve of this approach to bug disclosure for a couple of reasons. First, the bigger the impact on AMD shareholder value, the more shareholders will demand AMD and comparable vendors spend money on quality assurance programs to reduce their exposure on this front. In the broader context of software markets, a trend toward monetizing bug reports by maximizing their cost to affected vendors will do more harm to closed commercial enterprises than free & open ones, both because the commercial vendors ship more and worse bugs, and because that's where money can be made just by disparaging the product. If this business model becomes a trend, I think it will result in better quality across the board in affected products and markets. :o)