• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Intel Tried to Bribe Dutch University to Suppress Knowledge of MDS Vulnerability

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
37,793 (8.50/day)
Location
Hyderabad, India
Processor AMD Ryzen 7 2700X
Motherboard ASUS ROG Strix B450-E Gaming
Cooling AMD Wraith Prism
Memory 2x 16GB Corsair Vengeance LPX DDR4-3000
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) Samsung U28D590 28-inch 4K UHD
Case Corsair Carbide 100R
Audio Device(s) Creative Sound Blaster Recon3D PCIe
Power Supply Cooler Master MWE Gold 650W
Mouse Razer Abyssus
Keyboard Microsoft Sidewinder X4
Software Windows 10 Pro
Cybersecurity researchers at the Vrije Universiteit Amsterdam, also known as VU Amsterdam, allege that Intel tried to bribe them to suppress knowledge of the latest processor security vulnerability RIDL (rogue in-flight data load), which the company made public on May 14. Dutch publication Nieuwe Rotterdamsche Courant reports that Intel offered to pay the researchers a USD $40,000 "reward" to allegedly get them to downplay the severity of the vulnerability, and backed their offer with an additional $80,000. The team politely refused both offers.

Intel's security vulnerability bounty program is shrouded in CYA agreements designed to minimize Intel's losses from the discovery of a new vulnerability. Under its terms, once a discoverer accepts the bounty reward, they enter into a NDA (non-disclosure agreement) with Intel, to not disclose their findings or communicate in the regard with any other person or entity than with certain authorized people at Intel. With public knowledge withheld, Intel can work on mitigation and patches against the vulnerability. Intel argues that information of vulnerabilities becoming public before it's had a chance to address them would give the bad guys time to design and spread malware that exploits the vulnerability. This is an argument the people at VU weren't willing to buy, and thus Intel is forced to disclose RIDL even as microcode updates, software updates, and patched hardware are only beginning to come out.



Update: (17/05): An Intel spokesperson commented on this story.

Intel contacted us with a statement on this story pertaining to the terms of its bug bounty program:
"We [Intel] believe that working with skilled security researchers across the globe is a crucial part of identifying and mitigating security vulnerabilities. One of the ways we engage with researchers is through our bug bounty program. We provide a clear overview of our bug bounty program requirements, eligibility and award schedule on our website."
View at TechPowerUp Main Site
 
Joined
Feb 17, 2017
Messages
797 (0.78/day)
Location
Italy
Processor i7 2600K @4.5GHz
Motherboard Asus P8Z68-V PRO/Gen 3
Cooling ZeroTherm FZ120
Memory G.Skill Ripjaws 4x4GB DDR3
Video Card(s) MSI GTX 1060 6G Gaming X
Storage Samsung 830 Pro 256GB + WD Caviar Blue 1TB
Display(s) Samsung PX2370 + Acer AL1717
Case Antec 1200 v1
Audio Device(s) aune x1s
Power Supply Enermax Modu87+ 800W
Mouse Logitech G403
Keyboard Qpad MK80
I don't believe it for a second.
 
Joined
Feb 11, 2009
Messages
2,290 (0.58/day)
System Name Cyberline
Processor Intel Core i7 2600k
Motherboard Asus P8P67 LE Rev 3.0
Cooling Tuniq Tower 120
Memory Corsair (4x2) 8gb 1600mhz
Video Card(s) AMD RX480
Storage Samsung 750 Evo 250gb SSD + WD 1tb x 2 + WD 2tb
Display(s) Philips 32inch LPF5605H (television)
Case antec 600
Audio Device(s) Focusrite 2i4 (USB)
Power Supply Seasonic 620watt 80+ Platinum
Mouse Elecom EX-G
Keyboard Rapoo V700
Software Windows 10 Pro 64bit
I don't believe it for a second.
I believe it, it kinda sorta happens all the time sooo yeah.
Hackers inform a company of a weak spot, they get paid for their find and they give the company a deadline to fix it or else they reveal the information.

This is really no different so whats your problem?
 
Joined
Mar 20, 2019
Messages
190 (0.71/day)
Location
Australia
Processor AMD Ryzen 5 2600
Motherboard MSI B450 Gaming Plus
Cooling Cryorig H7
Memory Kingston HyperX Predator DDR4 3200MHz 2x8GB
Video Card(s) ASUS Radeon RX 580 8GB Dual-fan OC Edition
Storage Samsung 970 EVO Plus NVMe 250GB
Case NZXT H500
Power Supply Corsair RM650x Gold 650W
Mouse HyperX Pulsefire FPS Pro
Keyboard MaxKeyboard Nighthawk X8 (Cherry Brown)
Software Kubuntu
Oh that's not good PR. Ouch Intel.
 
Joined
Apr 30, 2012
Messages
3,474 (1.25/day)
It was discovered in September and they notified Intel. Intel even paid the bounty. There usually is a 90 day period before the info goes public. We are well passed double the time and Intel wanted another 6 months.
 
Joined
Oct 2, 2015
Messages
2,411 (1.57/day)
Location
Argentina
System Name Ciel / Yukino
Processor AMD Ryzen R3 1200 @ 3750MHz / Intel Core i3 5005U
Motherboard MSI B350M PRO-VDH / HP 240 G5
Cooling Wraith Stealth / Stock
Memory 2x 8GB Corsair Vengeance LPX DDR4 3200MHz @ 3466MHz / 2x 4GB Hynix + Kingston DDR3L 1600MHz
Video Card(s) Sapphire R9 270X Toxic 2GB / Intel HD 5500
Storage SSD WD Green 240GB M.2 + HDD Toshiba 2TB / SSD Kingston A400 120GB SATA
Display(s) HP w17e 1440x900 @ 75Hz/ Integrated 1366x768 @ 94Hz
Case Generic / Stock
Audio Device(s) Realtek ALC892 / Realtek ALC282
Power Supply Sentey XPP 525W / Power Brick
Mouse Logitech G203 / Elan Touchpad
Keyboard Generic / Stock
Software Windows 10 LTSC x64 + Arch Linux
Man, Intel needs a new PR department.
 
Joined
Nov 3, 2013
Messages
1,528 (0.68/day)
Location
Tokyo, Ota
Processor i5 - 7300HQ
Memory 8GB DDR4
Video Card(s) 1060 6GB
Storage 180GB m.2 SATA | 250GB 850Evo SATA
Display(s) FHD 15" Gsync IPS + Acer H243H
Mouse Rival 300 with Omron main switches.
Keyboard Apex m500 (mx red)
I believe it, it kinda sorta happens all the time sooo yeah.
Hackers inform a company of a weak spot, they get paid for their find and they give the company a deadline to fix it or else they reveal the information.

This is really no different so whats your problem?
He's a known hardcore Intel fanboy, of course he's gonna defend them tooth and nail. You're preaching to the wrong choir.
Man, Intel needs a new PR department.
Intel needs some serious restructuring from the ground up. IMO PR is least of their concern at the moment.
 
Joined
Dec 10, 2017
Messages
208 (0.28/day)
Processor Intel core i5 4590s
Motherboard Asus Z97 Pro Gamer
Cooling Evercool EC115A 915SP Cpu cooler,Coolermaster [200mm (front and top)+140mm rear]
Memory Corsair 16GB(4x4) ddr3 CMZ16GX3M4X1600C9(Ver8.16)(XMP)
Video Card(s) MSI GTX 970 GAMING 4G
Storage Western Digital WDC WD2001FAS 2TB Black, Toshiba DT01ACA100 1TB
Display(s) LG Flatron L177WSB
Case Coolermaster CM Storm Enforcer
Audio Device(s) Creative A550 Speakers 5.1 channel
Power Supply SuperFlower Leadex 2 Gold 650W SF-650F14EG
Mouse PLNK M-740 Optical Mouse
Keyboard ibuypower GKB100 Gaming Keyboard
Software Windows 7 Sp1 64 bit
Joined
Mar 31, 2012
Messages
725 (0.26/day)
Location
NL
System Name SIGSEGV
Processor INTEL i7-7700K | AMD Ryzen 2700X
Motherboard QUANTA | ASUS Crosshair VII Hero
Cooling Air cooling 4 heatpipes | Corsair H115i | Noctua NF-A14 IndustrialPPC Fan 3000RPM
Memory Micron 16 Gb DDR4 2400 | GSkill Ripjaws 32Gb DDR4 3200 3400(OC) 14-14-14-34 @1.38v
Video Card(s) Nvidia 1060 6GB | Gigabyte 1080Ti Aorus
Storage 1TB 7200/256 SSD PCIE | ~ TB | 970 Evo
Display(s) 15,5" / 27"
Case Black & Grey | Phanteks P400S
Audio Device(s) Realtek
Power Supply Li Battery | Seasonic Focus Gold 750W
Mouse g402
Keyboard Leopold|Ducky
Software LinuxMint KDE |UBUNTU | Windows 10 PRO
Benchmark Scores i dont care about scores
Joined
Oct 17, 2014
Messages
3,953 (2.10/day)
Location
USA
Intel needs an entire new re-structuring, and I think they are getting that now with the new CEO, sadly the new CEO doesn't care about consumer, he only cares about big data centers moving forward because that is where the money is. Luckily, AMD EPYC Rome 7nm is going to smoke Intel in that area too, so Intel will be forced to diversify and improve very fast to appease the stock holders. Free markets work as long as there is competition, AMD is bae.
 
Joined
Mar 26, 2019
Messages
28 (0.11/day)
System Name NEO
Processor i9-7940X All cores @ 4.8GHZ
Motherboard Asus Rampage VI Extreme
Cooling MO-RA 420 Pro Radiator Stainless Steel, EK X-TOP Revo Dual D5,EK Velocity, Phanteks 1080Ti GPU Block
Memory 64GB Trident Z RGB 3600 Quad Kit
Video Card(s) Asus Strix 1080Ti OC
Storage Samsung 960Pro, WD Gold 10TB, 2X WD Red 4TB
Display(s) Benq SW320 32" 4k, Samsung 24" Full HD
Case Coolermaster Cosmos 2 (Mod)
Power Supply Corsair AX1500i
Mouse Logitech MX Master 2s, Logitech G502 Hero
Keyboard Logitech
Software Windows 10 Pro
Dang cheap ass amateurs! $40,000 or $80,000? This is what you get for your cheapness......FAIL!

These things require "brute force"......Next time Intel throw a million on their face in one go and wipe the floor. But $40k? Come one I would also tell you to shove it off!
 
Joined
Dec 10, 2015
Messages
422 (0.29/day)
Location
Here
System Name Skypas
Processor Intel Core i7-6700
Motherboard Asus H170 Pro Gaming
Cooling Cooler Master Hyper 212X Turbo
Memory Corsair Vengeance LPX 16GB
Video Card(s) MSI GTX 1060 Gaming X 6GB
Storage Corsair Neutron GTX 120GB + WD Blue 1TB
Display(s) LG 22EA63V
Case Corsair Carbide 400Q
Power Supply Seasonic SS-460FL2 w/ Deepcool XFan 120
Mouse Logitech B100
Keyboard Corsair Vengeance K70
Software Windows 10 Pro
Joined
Jul 28, 2007
Messages
69 (0.02/day)
Location
Portugal
Processor AMD Ryzen 5 3600
Motherboard MSi MPG X570 Gaming Plus
Cooling Noctua NH-D14
Memory G.Skill DDR4-3600 Trident Z CL 16
Video Card(s) MSi GTX 1080 Gaming X 8GB
Storage Crucial P1 500GB M.2 NVMe
Display(s) Acer Predator XB1 IPS 165Hz G-Sync
Case Lian-Li PC-A10B
Audio Device(s) Creative X-Fi Titanium Fatal1ty Pro Series
Power Supply Seasonic Focus+ Gold 750W
Mouse Zowie EC1-A
Keyboard G.Skill KM780 MX (MX brown)
I'm not part of Intel's bandwagon, but this article seems really confusing and kind of misleading... the title says Intel wanted to pay them to "suppress knowledge of MDS vulnerability", but then the article itself says instead they wanted them "to downplay the severity of the vulnerability". The first part implies the Dutch to don't say a thing (possibly until they fix the problem), the second part implies the information would be public but the severity and details to be "softened".
So after reading this, one may ask... "well, which one was it?" and why is the "bribe" word being used when there's a public bounty program in place by Intel to reward people that discover these kind of issues with their products?

Going to the source/reddit article to find some extra details doesn't exactly make things 100% clear, but it seems to me that it went like this:
- among several researcher groups taking a look at said vulnerabilities, the Dutch Uni was the one that found the major part of it
- Intel paid the Dutch Uni research group around $100,000 (89,000 euros) as part of their public bounty program (explained on their own press release also linked in this TPU article). They would reveal Intel the details and not publicly, so that Intel could investigate and work a security fix. (so nothing really shady here (as in bribe), seems normal procedure in these cases)
- the group said they would give Intel until May, then they would release the infos/leaks themselves
- apparently Intel wanted to wait another six months so they could get more time to fix it
- the group refused
- Intel then made them an additional offer of 40k , then another 80k on top, to convince them to downplay the severity /level of vulnerability of the problem, since sh/t would hit the fan anyway (probably to make things a bit less interesting for hackers and to avoid another public PR snowball)
- the group refused this additional offer to soften the exploit severity, and then released the vulnerability infos in May as planned.

So, basically, seems things went normal according to the usual Intel bounty/reward program, until Intel wanted another 6 months of time to work on the issue. The group didn't want to wait any longer than the initial program deal they made, and in response Intel wanted to at least make things look publicly less "worrying", by asking them to publicly say the vulnerability it wasn't really that of a big deal, offering them another $40k + $80k. They refused the offer and released the research untouched.

Considering it's a security problem, one can see why Intel wanted to at least try some "damage control". Even if the group accepted the "downplay" offer, eventually with time, the real severity would come out and that would make the group and Intel look bad. Difference is, Intel can afford to look bad in that situation, specially if the reasons were based on "customer's security".
 
Last edited:
Joined
Mar 24, 2010
Messages
4,998 (1.41/day)
Location
Iberian Peninsula
System Name Mile High Club Case
Processor i9 9900KS@5000
Motherboard Asus Maximus XI Extreme (Z390)
Cooling EK 480 Extreme
Memory 16Gb G.Skill TridentZ 3866@4000
Video Card(s) nVidia 2080 TI
Storage 2x Adata XPG 1tB, 2x Sam 840Evo 1TB SSD, WD Black 2TB, Toshiba 3TB
Display(s) Benq 32"
Case ThermalTake Core P5
Audio Device(s) Sennheiser boxy thingy
Power Supply ThermalTake 1200
Mouse Mad Catz Pro X
Keyboard Asus Claymore
Software W10Home
I'd have absolutly loved to have a room like this (at his age, not now, hahahah) (Taken from the news source NRC)

123083
 

rtwjunkie

PC Gaming Enthusiast
Supporter
Joined
Jul 25, 2008
Messages
12,572 (3.02/day)
Location
Louisiana -Laissez les bons temps rouler!
System Name Bayou Devil
Processor Core i7-4790k 4.4Ghz @ 1.18v
Motherboard ASUS Z97 Deluxe
Cooling All air: 2x140mm Fractal exhaust; 3x 140mm Cougar Intake; Enermax T40F CPU cooler
Memory 2x 8GB Mushkin Redline DDR-3 1866
Video Card(s) MSI GTX 1080Ti Gaming X
Storage 1x 500 MX500 SSD; 1x 2TB WD Black; 2x 4TB WD Black;1x 2TB WD Green (eSATA)
Display(s) HP 27q 27" IPS @ 2560 x 1440
Case Fractal Design Define R4 Black w/Titanium front -windowed
Audio Device(s) Soundblaster Z
Power Supply Seasonic X-850
Mouse Coolermaster Sentinel III
Keyboard Logitech G610 Orion mechanical (Cherry Brown switches)
Software Windows 10 Pro 64-bit (Start10 & Fences 3.0 installed)
I'm not part of Intel's bandwagon, but this article seems really confusing and kind of misleading... the title says Intel wanted to pay them to "suppress knowledge of MDS vulnerability", but then the article itself says instead they wanted them "to downplay the severity of the vulnerability". The first part implies the Dutch to don't say a thing (possibly until they fix the problem), the second part implies the information would be public but the severity and details to be "softened".
So after reading this, one may ask... "well, which one was it?" and why is the "bribe" word being used when there's a public bounty program in place by Intel to reward people that discover these kind of issues with their products?

Going to the source/reddit article to find some extra details doesn't exactly make things 100% clear, but it seems to me that it went like this:
- among several researcher groups taking a look and said vulnerabilities, the Dutch Uni was the one that found the major part of it
- Intel paid the Dutch Uni research group around $100,000 (89,000 euros) as part of their public bounty program (explained on their own press release also linked in this TPU article). They would reveal Intel the details and not publicly so that Intel could investigate and work a security fix. (so nothing really shady here (as in bribe), seems normal procedure in these cases)
- the group said they would give Intel until May, then they would release the infos/leaks themselves
- apparently Intel wanted to wait another six months so they could get more time to fix it
- the group refused
- Intel then made them an additional offer of 40k , then another 80k on top, to convince them to downplay the severity /level of vulnerability of the problem, since sh/t would hit the fan anyway (probably to make things a bit less interesting for hackers and to avoid another public PR snowball)
- the group refused this additional offer to soften the exploit severity, and then released the vulnerability infos in May as planned.

So, basically, seems things went normal according to the usual Intel bounty/reward program, until Intel wanted another 6 months of time to work on the issue. The group didn't want to wait any longer than the initial program deal they made, and in response Intel wanted to at least make things look publicly less "worrying" but asking them to publicly say the vulnerability it wasn't really that of a big deal, offering them another $40k + $80k. They refused the offer and released the research untouched.

Considering it's a security problem, one can see why Intel wanted to at least try some "damage control". Even if the group accepted the "downplay" offer, eventually with time, the real severity would come out and that would make the group and Intel look bad. Difference is, Intel can afford to look bad in that situation, specially if the reasons were based on "customer's security".
Nice background work! What we have here is one of the only responders who bothered to do some source work, instead of just responding to the sensationalist headline.
 
Last edited:
Joined
Feb 23, 2019
Messages
788 (2.70/day)
Location
Poland
Processor Ryzen 7 3700X
Motherboard Gigabyte X570 Aorus Elite
Cooling BeQuiet Dark Rock 4
Memory 2x8 GB Crucial Ballistix Sport LT 3200 CL16 @ 3733 CL 16
Video Card(s) EVGA 1060 6GB SSC
Storage SX8200 Pro 1 TB, Plextor M6Pro 256 GB, WD Blue 2TB
Display(s) BenQ BL2411PT
Case SilverStone Primera PM01 RGB
Power Supply SeaSonic Focus Plus Gold 750W
Mouse SteelSeries Rival 300
Keyboard Generic Dell
I'd have absolutly loved to have a room like this (at his age, not now, hahahah) (Taken from the news source NRC)
Best part about, his Uni probably paid for most of it :D Dream deal.
 
Joined
Jun 19, 2010
Messages
181 (0.05/day)
Location
North-Rhine-Westphalia
Processor Ryzen 2700
Motherboard B450
Cooling Thermalright ARO
Memory 2x 8GB DDR4-2133
Video Card(s) RX 570 8GB
Storage 256GB SSD
Display(s) UHD 40" HDR TV
Case Sharkoon AM5 Window red
Audio Device(s) USB Headset
Power Supply beQuiet PurePower10 400W
Software Win10
Vrije Universiteit Amsterdam (Free University Amsterdam) whouldn´t be free if under NDA.

So Intel whould have to buy the whole and not make a joke of its self.
 
Joined
Sep 23, 2008
Messages
269 (0.07/day)
Location
Richmond,VA
System Name FX-8350
Processor FX8350 @ 4.6ghz
Motherboard MSI 990FX-GD80 v2
Cooling Hyper 212 Evo
Memory 16gb G.Skill Ripjaws 1866 8-9-9-24
Video Card(s) Sapphire HD 7950 OC 3GB
Storage Samsung 512GB 850 Pro SSD ; 3 x 1TB Seagate Drives Standalone
Display(s) Twin Dell E2215H
Case Rosewill Blackhawk Ultra
Power Supply Seasonic 850X Full Modular
Mouse Logitec MK520
Keyboard Logitec MK520
Software Windows 10 Pro 64bit
queue Intel fanboy damage control
 

tigger

I'm the only one
Supporter
Joined
Mar 20, 2006
Messages
11,134 (2.22/day)
System Name Black to the Core MKV
Processor Amd Ryzen 7 1800x
Motherboard Asus Prime B350-plus
Cooling Noctua NH-D15, 6x 140mm + 1 120mm controlled by Corsair commander pro
Memory 2x8gb G.Skill Flare X 2400 DDR4
Video Card(s) Palit GTX 1070 8GB
Storage Sandisk 256GB M2 ssd Boot and Seagate Barracuda 1TB Data+1TB WD Green
Display(s) Acer K272HL 27" 1080HD 75hz
Case Corsair Obsidian 750D 6 x 140mm fans
Audio Device(s) Realtek ALC887 with Topping VX2 digital amp and Teac small hifi speakers
Power Supply Corsair CX550M
Mouse Corsair Scimitar
Keyboard Corsair K65 LUX
Software Win 10 Pro x64
I'd have took the $40k no lie
 
Joined
Apr 10, 2013
Messages
281 (0.12/day)
Location
Michigan, USA
Processor AMD 1700X
Motherboard Crosshair VI Hero
Memory F4-3200C14D-16GFX
Video Card(s) GTX 1070
Storage 960 Pro
Display(s) PG279Q
Case HAF X
Power Supply Silencer MK III 850
Mouse Logitech G700s
Keyboard Logitech G105
Software Windows 10
Wouldn't we want Intel and AMD paying rewards for these discoveries and suppressing the discovery until a patch is issued? Why do these groups want to discover vulnerabilities and immediately expose everyone? I would think these groups would be on the side of consumers but it seems they are on the side of attackers if they intend to release info and expose everyone before fixes are available.

I am a not a fanboy of anyone, currently running AMD in my desktop and Intel in a notebook. Common sense isn't a fanboy.
 
Joined
May 8, 2018
Messages
618 (1.06/day)
Location
London, UK
40k or 80k is nothing to them, now if it was around 5 million then it might have achieved success.
 

iO

Joined
Jul 18, 2012
Messages
398 (0.15/day)
Location
Germany
Processor R5 3600
Motherboard B450i Gaming
Cooling Accelero Mono CPU Edition
Memory 16 Gig VLP
Video Card(s) RX580 Armor w/ Accelero Mono
Storage 850 EVO 512
Display(s) LG 27UM67 UHD
Power Supply SS G-650
Wouldn't we want Intel and AMD paying rewards for these discoveries and suppressing the discovery until a patch is issued? Why do these groups want to discover vulnerabilities and immediately expose everyone? I would think these groups would be on the side of consumers but it seems they are on the side of attackers if they intend to release info and expose everyone before fixes are available.

I am a not a fanboy of anyone, currently running AMD in my desktop and Intel in a notebook. Common sense isn't a fanboy.
The standard 90 days deadline forces them to react and work on fixes instead of dragging their feet and hoping people will just buy their (probably also vulnerable) 10k series in a few months.
 
Top