Ilia Luk-Zilberman, the Chief Technical Officer (CTO) of CTS Labs, the company behind yesterday’s disclosure of 13 vulnerabilities affecting AMD processors, has published an open letter today, explaining his company’s controversial actions that managed to enrage a huge portion of the tech and security research communities.
CTS Labs faced a massive backlash yesterday, on a scale rarely seen in the security industry, for the way it decided to approach the process of « vulnerability disclosure » of 13 AMD CPU flaws collectively known under four codenames —RyzenFall, MasterKey, Fallout, and Chimera.
CTS Labs criticized for disclosing too quickly
According to an AMD spokesperson, CTS Labs gave the chip maker less than 24 hours to read a technical report, verify, reproduce, and prepare patches, a deadline that many security researchers found impossible to abide with.
The Tel Aviv-based CTS Labs then moved forward to publicly disclose the 13 vulnerabilities via an embargoed press release shared with selected news agencies, with greenscreened YouTube videos, a fancy website, and a whitepaper that lacked any technical details.
The security community tore into the company, who quickly became a subject of jokes and ridicule. Discussions on social media quickly moved to theories that CTS Labs was trying to short AMD stock using « manufactured » vulnerabilities in an attempt to buy shares at lower values.
AMD flaws independently verified by two credible sources
Those theories were short-lived because a few hours after CTS Labs took a beating on social media and some infosec blogs, Dan Guido, the CEO of Trail of Bits —another security company— came forward to confirm that the CTS Labs report was real and contained actual vulnerabilities.
Yaron Luk, the CFO of CTS Labs, confirmed to Bleeping Computer yesterday via email that the company had asked the Trail of Bits team to run an independent review of their findings, a fact that Guido confirmed on Twitter.
To read the original article: