Intel has taken a lot of heat in the tech news circuit lately, for security vulnerabilities that exist its various processor line-ups. What you might be surprised to know, especially with some of the more recent discoveries, however, is that Intel brought much of this pain upon itself through an aggressive program of bug bounties and investments in internal and external research. Short of some masochistic tendency that flies in the face of sales and marketing types, this practice actually benefits Intel, its customers and the greater ecosystem as a whole as well.

First, common sense tells us that it’s better for Intel to get ahead of vulnerabilities, undergo early root cause determination and then proceed with mitigation efforts, before there’s some sort of outbreak or compromise in the wild. An ounce of prevention is worth a pound of cure and all that. In addition, however, proactive discovery of chip vulnerabilities also potentially helps to limit the scope of vulnerable product in the market. The sooner Intel engineers can deploy software or firmware patches, for example, the fewer the number of new systems (desktop, mobile or data center) that are shipped with the vulnerability. Finally of course there’s the good neighbor effect that’s undeniable. Processor architecture is often common across competitive solutions, whether it be Intel, AMD, ARM, or some other embedded or semi-custom instantiation of products from any of these companies. Intel also licenses its IP in this area as well, so the sooner these discoveries are made public within the guidelines of Coordinated Vulnerability Disclosure (CVD), the better off the entire industry will be, and ultimately benefiting Intel customers as well, with better transparency.

As a result, in 2019, Intel’s investment in security research accounted for 91 percent of the vulnerabilities discovered and addressed, the majority (over 60%) of which were internally discovered by Intel with another 30 percent or so that was reported through bug bounties. In fact, discovery of the infamous Spectre (targets the intrinsic nature of speculative execution in modern processors) and Meltdown (targets side effects of out-of-order execution in modern processors), was actually rewarded with bug bounties from Intel. As team members from Google Project Zero, Graz University and others note, “We would like to thank Intel for awarding us with a bug bounty for the responsible disclosure process, and their professional handling of this issue through communicating a clear timeline and connecting all involved researchers.”

And so, while it might be easy to point fingers at Intel for these chip vulnerabilities in the first place, rigorous, proactive discovery of chip vulnerabilities is also part of the new normal in the age of the data breeches, hacking and best practices in cybersecurity.

In short, it makes good business sense for Intel to invest in these areas, and the hope is others in the industry will take note and follow suit.



READ SOURCE

READ  Datrium awarded patents for resiliency and encryption tech - SecurityBrief Europe

LEAVE A REPLY

Please enter your comment!
Please enter your name here