Silvano Rebai - Fotolia
Risk & Repeat: Meltdown and Spectre disclosure in review
In this week's Risk & Repeat podcast, SearchSecurity editors discuss new insights -- and questions -- regarding the coordinated disclosure effort for Meltdown and Spectre.
Black Hat USA 2018 offered new insights into the Meltdown and Spectre disclosure process and raised questions about how such coordinated vulnerability disclosure efforts should be handled.
A Black Hat panel discussion provided a behind-the-scenes look at the process from the perspective of Microsoft, Google and Red Hat representatives.
During the discussion, the panelists revealed a number of stumbling blocks that posed problems for not only Intel, AMD and ARM, but the security response teams at various stakeholder companies, as well. For example, because of a miscommunication, Google wasn't officially informed about the vulnerabilities until 45 days after they were first reported to the chipmakers.
The panelists also discussed the challenge of deciding which stakeholders to include in the Meltdown and Spectre disclosure and response process and when to include those parties.
How could the coordinated vulnerability disclosure process have been handled better? Should the pre-disclosure response and mitigation effort have included more people or fewer? How could Google have been left out of the loop for so long? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions on the Meltdown and Spectre disclosure and more in this episode of the Risk & Repeat podcast.