I'm not part of Intel's bandwagon, but this article seems really confusing and kind of misleading... the title says Intel wanted to pay them to "suppress knowledge of MDS vulnerability", but then the article itself says instead they wanted them "to downplay the severity of the vulnerability". The first part implies the Dutch to don't say a thing (possibly until they fix the problem), the second part implies the information would be public but the severity and details to be "softened".
So after reading this, one may ask... "well, which one was it?" and why is the "bribe" word being used when there's a public bounty program in place by Intel to reward people that discover these kind of issues with their products?
Going to the source/reddit article to find some extra details doesn't exactly make things 100% clear, but it seems to me that it went like this:
- among several researcher groups taking a look at said vulnerabilities, the Dutch Uni was the one that found the major part of it
- Intel paid the Dutch Uni research group around $100,000 (89,000 euros) as part of their public bounty program (explained on their own press release also linked in this TPU article). They would reveal Intel the details and not publicly, so that Intel could investigate and work a security fix. (so nothing really shady here (as in bribe), seems normal procedure in these cases)
- the group said they would give Intel until May, then they would release the infos/leaks themselves
- apparently Intel wanted to wait another six months so they could get more time to fix it
- the group refused
- Intel then made them an additional offer of 40k , then another 80k on top, to convince them to downplay the severity /level of vulnerability of the problem, since sh/t would hit the fan anyway (probably to make things a bit less interesting for hackers and to avoid another public PR snowball)
- the group refused this additional offer to soften the exploit severity, and then released the vulnerability infos in May as planned.
So, basically, seems things went normal according to the usual Intel bounty/reward program, until Intel wanted another 6 months of time to work on the issue. The group didn't want to wait any longer than the initial program deal they made, and in response Intel wanted to at least make things look publicly less "worrying", by asking them to publicly say the vulnerability it wasn't really that of a big deal, offering them another $40k + $80k. They refused the offer and released the research untouched.
Considering it's a security problem, one can see why Intel wanted to at least try some "damage control". Even if the group accepted the "downplay" offer, eventually with time, the real severity would come out and that would make the group and Intel look bad. Difference is, Intel can afford to look bad in that situation, specially if the reasons were based on "customer's security".
