Intel Tried to Bribe Dutch University to Suppress Knowledge of MDS Vulnerability

btarunr · May 16, 2019

Cybersecurity researchers at the Vrije Universiteit Amsterdam, also known as VU Amsterdam, allege that Intel tried to bribe them to suppress knowledge of the latest processor security vulnerability RIDL (rogue in-flight data load), which the company made public on May 14. Dutch publication Nieuwe Rotterdamsche Courant reports that Intel offered to pay the researchers a USD $40,000 "reward" to allegedly get them to downplay the severity of the vulnerability, and backed their offer with an additional $80,000. The team politely refused both offers.

Intel's security vulnerability bounty program is shrouded in CYA agreements designed to minimize Intel's losses from the discovery of a new vulnerability. Under its terms, once a discoverer accepts the bounty reward, they enter into a NDA (non-disclosure agreement) with Intel, to not disclose their findings or communicate in the regard with any other person or entity than with certain authorized people at Intel. With public knowledge withheld, Intel can work on mitigation and patches against the vulnerability. Intel argues that information of vulnerabilities becoming public before it's had a chance to address them would give the bad guys time to design and spread malware that exploits the vulnerability. This is an argument the people at VU weren't willing to buy, and thus Intel is forced to disclose RIDL even as microcode updates, software updates, and patched hardware are only beginning to come out.

Update: (17/05): An Intel spokesperson commented on this story.

Intel contacted us with a statement on this story pertaining to the terms of its bug bounty program:

"We [Intel] believe that working with skilled security researchers across the globe is a crucial part of identifying and mitigating security vulnerabilities. One of the ways we engage with researchers is through our bug bounty program. We provide a clear overview of our bug bounty program requirements, eligibility and award schedule on our website."

View at TechPowerUp Main Site

oxidized · May 16, 2019

I don't believe it for a second.

Jism · May 16, 2019

Owned. Intel is owned. Owned!

ZoneDymo · May 16, 2019

oxidized said:
I don't believe it for a second.

I believe it, it kinda sorta happens all the time sooo yeah.
Hackers inform a company of a weak spot, they get paid for their find and they give the company a deadline to fix it or else they reveal the information.

This is really no different so whats your problem?

s3thra · May 16, 2019

Oh that's not good PR. Ouch Intel.

Xzibit · May 16, 2019

It was discovered in September and they notified Intel. Intel even paid the bounty. There usually is a 90 day period before the info goes public. We are well passed double the time and Intel wanted another 6 months.

GoldenX · May 16, 2019

Man, Intel needs a new PR department.

R0H1T · May 16, 2019

GoldenX said:
Man, Intel needs a new PR department.

No, they need a new security head. Clearly this guy isn't "working" so well :ohwell:

They should also hire a new lawyer :mad:

ShurikN · May 16, 2019

ZoneDymo said:
I believe it, it kinda sorta happens all the time sooo yeah.
Hackers inform a company of a weak spot, they get paid for their find and they give the company a deadline to fix it or else they reveal the information.

This is really no different so whats your problem?

He's a known hardcore Intel fanboy, of course he's gonna defend them tooth and nail. You're preaching to the wrong choir.

GoldenX said:
Man, Intel needs a new PR department.

Intel needs some serious restructuring from the ground up. IMO PR is least of their concern at the moment.

enxo218 · May 16, 2019

GoldenX said:
Man, Intel needs a new PR department.

better engineers would be more beneficial imo

SIGSEGV · May 16, 2019

oxidized said:
I don't believe it for a second.

lol.
i believe it 1000%

Intel seriously need medics here..

Space Lynx · May 16, 2019

Intel needs an entire new re-structuring, and I think they are getting that now with the new CEO, sadly the new CEO doesn't care about consumer, he only cares about big data centers moving forward because that is where the money is. Luckily, AMD EPYC Rome 7nm is going to smoke Intel in that area too, so Intel will be forced to diversify and improve very fast to appease the stock holders. Free markets work as long as there is competition, AMD is bae.

Abaidor · May 16, 2019

Dang cheap ass amateurs! $40,000 or $80,000? This is what you get for your cheapness......FAIL!

These things require "brute force"......Next time Intel throw a million on their face in one go and wipe the floor. But $40k? Come one I would also tell you to shove it off!

XiGMAKiD · May 16, 2019

btarunr said:
With public knowledge withheld...

you don't need to worry about wasting money on security :laugh:

spnidel · May 16, 2019

classic intel
and to think they've been doing this for almost two decades now and people still buy their CPUs... jesus christ

MAXLD · May 16, 2019

I'm not part of Intel's bandwagon, but this article seems really confusing and kind of misleading... the title says Intel wanted to pay them to "suppress knowledge of MDS vulnerability", but then the article itself says instead they wanted them "to downplay the severity of the vulnerability". The first part implies the Dutch to don't say a thing (possibly until they fix the problem), the second part implies the information would be public but the severity and details to be "softened".
So after reading this, one may ask... "well, which one was it?" and why is the "bribe" word being used when there's a public bounty program in place by Intel to reward people that discover these kind of issues with their products?

Going to the source/reddit article to find some extra details doesn't exactly make things 100% clear, but it seems to me that it went like this:
- among several researcher groups taking a look at said vulnerabilities, the Dutch Uni was the one that found the major part of it
- Intel paid the Dutch Uni research group around $100,000 (89,000 euros) as part of their public bounty program (explained on their own press release also linked in this TPU article). They would reveal Intel the details and not publicly, so that Intel could investigate and work a security fix. (so nothing really shady here (as in bribe), seems normal procedure in these cases)
- the group said they would give Intel until May, then they would release the infos/leaks themselves
- apparently Intel wanted to wait another six months so they could get more time to fix it
- the group refused
- Intel then made them an additional offer of 40k , then another 80k on top, to convince them to downplay the severity /level of vulnerability of the problem, since sh/t would hit the fan anyway (probably to make things a bit less interesting for hackers and to avoid another public PR snowball)
- the group refused this additional offer to soften the exploit severity, and then released the vulnerability infos in May as planned.

So, basically, seems things went normal according to the usual Intel bounty/reward program, until Intel wanted another 6 months of time to work on the issue. The group didn't want to wait any longer than the initial program deal they made, and in response Intel wanted to at least make things look publicly less "worrying", by asking them to publicly say the vulnerability it wasn't really that of a big deal, offering them another $40k + $80k. They refused the offer and released the research untouched.

Considering it's a security problem, one can see why Intel wanted to at least try some "damage control". Even if the group accepted the "downplay" offer, eventually with time, the real severity would come out and that would make the group and Intel look bad. Difference is, Intel can afford to look bad in that situation, specially if the reasons were based on "customer's security".

erixx · May 16, 2019

I'd have absolutly loved to have a room like this (at his age, not now, hahahah) (Taken from the news source NRC)

rtwjunkie · May 16, 2019

MAXLD said:
I'm not part of Intel's bandwagon, but this article seems really confusing and kind of misleading... the title says Intel wanted to pay them to "suppress knowledge of MDS vulnerability", but then the article itself says instead they wanted them "to downplay the severity of the vulnerability". The first part implies the Dutch to don't say a thing (possibly until they fix the problem), the second part implies the information would be public but the severity and details to be "softened".
So after reading this, one may ask... "well, which one was it?" and why is the "bribe" word being used when there's a public bounty program in place by Intel to reward people that discover these kind of issues with their products?

Going to the source/reddit article to find some extra details doesn't exactly make things 100% clear, but it seems to me that it went like this:
- among several researcher groups taking a look and said vulnerabilities, the Dutch Uni was the one that found the major part of it
- Intel paid the Dutch Uni research group around $100,000 (89,000 euros) as part of their public bounty program (explained on their own press release also linked in this TPU article). They would reveal Intel the details and not publicly so that Intel could investigate and work a security fix. (so nothing really shady here (as in bribe), seems normal procedure in these cases)
- the group said they would give Intel until May, then they would release the infos/leaks themselves
- apparently Intel wanted to wait another six months so they could get more time to fix it
- the group refused
- Intel then made them an additional offer of 40k , then another 80k on top, to convince them to downplay the severity /level of vulnerability of the problem, since sh/t would hit the fan anyway (probably to make things a bit less interesting for hackers and to avoid another public PR snowball)
- the group refused this additional offer to soften the exploit severity, and then released the vulnerability infos in May as planned.

So, basically, seems things went normal according to the usual Intel bounty/reward program, until Intel wanted another 6 months of time to work on the issue. The group didn't want to wait any longer than the initial program deal they made, and in response Intel wanted to at least make things look publicly less "worrying" but asking them to publicly say the vulnerability it wasn't really that of a big deal, offering them another $40k + $80k. They refused the offer and released the research untouched.

Considering it's a security problem, one can see why Intel wanted to at least try some "damage control". Even if the group accepted the "downplay" offer, eventually with time, the real severity would come out and that would make the group and Intel look bad. Difference is, Intel can afford to look bad in that situation, specially if the reasons were based on "customer's security".

Nice background work! What we have here is one of the only responders who bothered to do some source work, instead of just responding to the sensationalist headline.

Chomiq · May 16, 2019

erixx said:
I'd have absolutly loved to have a room like this (at his age, not now, hahahah) (Taken from the news source NRC)

Best part about, his Uni probably paid for most of it

Dream deal.

_Flare · May 16, 2019

Vrije Universiteit Amsterdam (Free University Amsterdam) whouldn´t be free if under NDA.

So Intel whould have to buy the whole and not make a joke of its self.

Konceptz · May 16, 2019

queue Intel fanboy damage control

Deleted member 24505 · May 16, 2019

I'd have took the $40k no lie

ssdpro · May 16, 2019

Wouldn't we want Intel and AMD paying rewards for these discoveries and suppressing the discovery until a patch is issued? Why do these groups want to discover vulnerabilities and immediately expose everyone? I would think these groups would be on the side of consumers but it seems they are on the side of attackers if they intend to release info and expose everyone before fixes are available.

I am a not a fanboy of anyone, currently running AMD in my desktop and Intel in a notebook. Common sense isn't a fanboy.

Metroid · May 16, 2019

40k or 80k is nothing to them, now if it was around 5 million then it might have achieved success.

iO · May 16, 2019

ssdpro said:
Wouldn't we want Intel and AMD paying rewards for these discoveries and suppressing the discovery until a patch is issued? Why do these groups want to discover vulnerabilities and immediately expose everyone? I would think these groups would be on the side of consumers but it seems they are on the side of attackers if they intend to release info and expose everyone before fixes are available.

I am a not a fanboy of anyone, currently running AMD in my desktop and Intel in a notebook. Common sense isn't a fanboy.

The standard 90 days deadline forces them to react and work on fixes instead of dragging their feet and hoping people will just buy their (probably also vulnerable) 10k series in a few months.

System Name	RBMK-1000
Processor	AMD Ryzen 7 5700G
Motherboard	ASUS ROG Strix B450-E Gaming
Cooling	DeepCool Gammax L240 V2
Memory	2x 8GB G.Skill Sniper X
Video Card(s)	Palit GeForce RTX 2080 SUPER GameRock
Storage	Western Digital Black NVMe 512GB
Display(s)	BenQ 1440p 60 Hz 27-inch
Case	Corsair Carbide 100R
Audio Device(s)	ASUS SupremeFX S1220A
Power Supply	Cooler Master MWE Gold 650W
Mouse	ASUS ROG Strix Impact
Keyboard	Gamdias Hermes E2
Software	Windows 11 Pro

Processor	i7 2600K
Motherboard	Asus P8Z68-V PRO/Gen 3
Cooling	ZeroTherm FZ120
Memory	G.Skill Ripjaws 4x4GB DDR3
Video Card(s)	MSI GTX 1060 6G Gaming X
Storage	Samsung 830 Pro 256GB + WD Caviar Blue 1TB
Display(s)	Samsung PX2370 + Acer AL1717
Case	Antec 1200 v1
Audio Device(s)	aune x1s
Power Supply	Enermax Modu87+ 800W
Mouse	Logitech G403
Keyboard	Qpad MK80

System Name	Cyberline
Processor	Intel Core i7 2600k -> 12600k
Motherboard	Asus P8P67 LE Rev 3.0 -> Gigabyte Z690 Auros Elite DDR4
Cooling	Tuniq Tower 120 -> Custom Watercoolingloop
Memory	Corsair (4x2) 8gb 1600mhz -> Crucial (8x2) 16gb 3600mhz
Video Card(s)	AMD RX480 -> ... nope still the same :'(
Storage	Samsung 750 Evo 250gb SSD + WD 1tb x 2 + WD 2tb -> 2tb MVMe SSD
Display(s)	Philips 32inch LPF5605H (television) -> Dell S3220DGF
Case	antec 600 -> Thermaltake Tenor HTCP case
Audio Device(s)	Focusrite 2i4 (USB)
Power Supply	Seasonic 620watt 80+ Platinum
Mouse	Elecom EX-G
Keyboard	Rapoo V700
Software	Windows 10 Pro 64bit

System Name	Ryzen
Processor	AMD Ryzen 7 5700X
Motherboard	Asus TUF Gaming B550-Plus (Wi-Fi)
Cooling	Cryorig H7
Memory	Kingston Fury Beast DDR4 3200MHz 2x8GB + 2x16GB
Video Card(s)	Sapphire NITRO+ Radeon RX 6700 XT GAMING OC
Storage	WD_Black SN850 500GB NVMe SSD + Adata XPG SX8200 Pro 512GB NVMe SSD
Display(s)	Gigabyte G27QC
Case	NZXT H510 Flow
Audio Device(s)	SteelSeries Arctis Prime
Power Supply	Corsair RM650x Gold 650W
Mouse	Logitech G502 Hero
Keyboard	HyperX Alloy FPS Cherry MX Blue
Software	Windows 11 Pro

System Name	Ciel
Processor	AMD Ryzen R5 5600X
Motherboard	Asus Tuf Gaming B550 Plus
Cooling	ID-Cooling 224-XT Basic
Memory	2x 16GB Kingston Fury 3600MHz@3933MHz
Video Card(s)	Gainward Ghost 3060 Ti 8GB + Sapphire Pulse RX 6600 8GB
Storage	NVMe Kingston KC3000 2TB + NVMe Toshiba KBG40ZNT256G + HDD WD 4TB
Display(s)	AOC Q27G3XMN + Samsung S22F350
Case	Cougar MX410 Mesh-G
Audio Device(s)	Kingston HyperX Cloud Stinger Core 7.1 Wireless PC
Power Supply	Aerocool KCAS-500W
Mouse	EVGA X15
Keyboard	VSG Alnilam
Software	Windows 11

Intel Tried to Bribe Dutch University to Suppress Knowledge of MDS Vulnerability

btarunr

Editor & Senior Moderator

oxidized

Jism

ZoneDymo

s3thra

Xzibit

GoldenX

R0H1T

ShurikN

enxo218

SIGSEGV

Space Lynx

Astronaut

Abaidor

XiGMAKiD

spnidel

MAXLD

erixx

rtwjunkie

PC Gaming Enthusiast

Chomiq

_Flare

Konceptz

Deleted member 24505

Guest

ssdpro

Metroid

iO

Processor	Ryzen 3600
Motherboard	X570 I Aorus Pro
Cooling	Deepcool AG400
Memory	HyperX Fury 2 x 8GB 3200 CL16
Video Card(s)	RX 470 Nitro+ 4GB
Storage	SX8200 Pro 512 / NV2 512
Display(s)	24G2U
Case	NR200P
Power Supply	Ion SFX 650
Mouse	G703
Keyboard	Keychron V1 (Akko Matcha Green) / Apex m500 (gateron milky yellow)
Software	W10

Processor	Intel core i5 4590s
Motherboard	Asus Z97 Pro Gamer
Cooling	Evercool EC115A 915SP Cpu cooler,Coolermaster [200mm (front and top)+140mm rear]
Memory	Corsair 16GB(4x4) ddr3 CMZ16GX3M4X1600C9(Ver8.16)(XMP)
Video Card(s)	MSI GTX 970 GAMING 4G
Storage	Western Digital WDC WD2001FAS 2TB Black, Toshiba DT01ACA100 1TB
Display(s)	LG Flatron L177WSB
Case	Coolermaster CM Storm Enforcer
Audio Device(s)	Creative A550 Speakers 5.1 channel
Power Supply	SuperFlower Leadex 2 Gold 650W SF-650F14EG
Mouse	PLNK M-740 Optical Mouse
Keyboard	ibuypower GKB100 Gaming Keyboard
Software	Windows 7 Sp1 64 bit

System Name	NEO
Processor	i9-7940X All cores @ 4.8GHZ
Motherboard	Asus Rampage VI Extreme
Cooling	MO-RA 420 Pro Radiator Stainless Steel, EK X-TOP Revo Dual D5,EK Velocity, Phanteks 1080Ti GPU Block
Memory	64GB Trident Z RGB 3600 Quad Kit
Video Card(s)	Asus Strix 1080Ti OC
Storage	Samsung 960Pro, WD Gold 10TB, 2X WD Red 4TB
Display(s)	Benq SW320 32" 4k, Samsung 24" Full HD
Case	Coolermaster Cosmos 2 (Mod)
Power Supply	Corsair AX1500i
Mouse	Logitech MX Master 2s, Logitech G502 Hero
Keyboard	Logitech
Software	Windows 10 Pro

System Name	Skypas
Processor	Intel Core i7-6700
Motherboard	Asus H170 Pro Gaming
Cooling	Cooler Master Hyper 212X Turbo
Memory	Corsair Vengeance LPX 16GB
Video Card(s)	MSI GTX 1060 Gaming X 6GB
Storage	Corsair Neutron GTX 120GB + WD Blue 1TB
Display(s)	LG 22EA63V
Case	Corsair Carbide 400Q
Power Supply	Seasonic SS-460FL2 w/ Deepcool XFan 120
Mouse	Logitech B100
Keyboard	Corsair Vengeance K70
Software	Windows 10 Pro (to be replaced by 2025)

System Name	The Cum Blaster
Processor	R9 5900x
Motherboard	Gigabyte X470 Aorus Gaming 7 Wifi
Cooling	Alphacool Eisbaer LT360
Memory	4x8GB Crucial Ballistix @ 3800C16
Video Card(s)	7900 XTX Nitro+
Storage	Lots
Display(s)	4k60hz, 4k144hz
Case	Obsidian 750D Airflow Edition
Power Supply	EVGA SuperNOVA G3 750W

Processor	AMD Ryzen 5 3600
Motherboard	MSi MPG X570 Gaming Plus
Cooling	Noctua NH-D14
Memory	G.Skill DDR4-3600 Trident Z CL 16
Video Card(s)	MSi GTX 1080 Gaming X 8GB
Storage	Crucial P1 500GB M.2 NVMe
Display(s)	Acer Predator XB1 IPS 165Hz G-Sync
Case	Lian-Li PC-A10B
Audio Device(s)	Creative X-Fi Titanium Fatal1ty Pro Series
Power Supply	Seasonic Focus+ Gold 750W
Mouse	Zowie EC1-A
Keyboard	G.Skill KM780 MX (MX brown)

System Name	Bayou Phantom
Processor	Core i7-8700k 4.4Ghz @ 1.18v
Motherboard	ASRock Z390 Phantom Gaming 6
Cooling	All air: 2x140mm Fractal exhaust; 3x 140mm Cougar Intake; Enermax T40F Black CPU cooler
Memory	2x 16GB Mushkin Redline DDR-4 3200
Video Card(s)	EVGA RTX 2080 Ti Xc
Storage	1x 500 MX500 SSD; 2x 6TB WD Black; 1x 4TB WD Black; 1x400GB VelRptr; 1x 4TB WD Blue storage (eSATA)
Display(s)	HP 27q 27" IPS @ 2560 x 1440
Case	Fractal Design Define R4 Black w/Titanium front -windowed
Audio Device(s)	Soundblaster Z
Power Supply	Seasonic X-850
Mouse	Coolermaster Sentinel III (large palm grip!)
Keyboard	Logitech G610 Orion mechanical (Cherry Brown switches)
Software	Windows 10 Pro 64-bit (Start10 & Fences 3.0 installed)

Processor	Ryzen 7 5800X3D
Motherboard	Gigabyte X570 Aorus Elite
Cooling	Thermalright Phantom Spirit 120 SE
Memory	2x16 GB Crucial Ballistix 3600 CL16 Rev E @ 3800 CL16
Video Card(s)	RTX3080 Ti FE
Storage	SX8200 Pro 1 TB, Plextor M6Pro 256 GB, WD Blue 2TB
Display(s)	LG 34GN850P-B
Case	SilverStone Primera PM01 RGB
Audio Device(s)	SoundBlaster G6 \| Fidelio X2 \| Sennheiser 6XX
Power Supply	SeaSonic Focus Plus Gold 750W
Mouse	Endgame Gear XM1R
Keyboard	Wooting Two HE

Processor	i7-14700k
Motherboard	MSI Z790 Carbon Wifi
Cooling	DeepCool LS720
Memory	32gb GSkill DDR5-6400 CL32 Trident Z5
Video Card(s)	Intel ARC A770 LE
Storage	990 Pro 1tb, 980 Pro 512gb, WD black 4tb
Display(s)	3 x HP EliteDisplay E273
Case	Corsair 5000D Airflow
Power Supply	Corsair RM850x
Mouse	Logitec MK520
Keyboard	Logitec MK520
Software	Win 11 Pro
Benchmark Scores	Cinebench R23 Multi 35805

Processor	AMD 1700X
Motherboard	Crosshair VI Hero
Memory	F4-3200C14D-16GFX
Video Card(s)	GTX 1070
Storage	960 Pro
Display(s)	PG279Q
Case	HAF X
Power Supply	Silencer MK III 850
Mouse	Logitech G700s
Keyboard	Logitech G105
Software	Windows 10

Processor	R7 5700x
Motherboard	MSI B450i Gaming
Cooling	Accelero Mono CPU Edition
Memory	16 GB VLP
Video Card(s)	AMD RX 6700 XT
Storage	P34A80 512GB
Display(s)	LG 27UM67 UHD
Case	none
Power Supply	SS G-650