The Cybersecurity researchers at the Vrije Universiteit Amsterdam (VU Amsterdam), allege that Intel tried to bribe them to suppress knowledge of the latest MDS vulnerability, which they made public on May 14th. According to Dutch publication Nieuwe Rotterdamsche Courant Intel offered to pay the researchers a USD $40,000 “reward” to allegedly get them to downplay the severity of the vulnerability, and backed their offer with an additional $80,000. The team politely refused both offers.
Intel’s security vulnerability bounty program is designed to minimize Intel’s losses from the discovery of new vulnerabilities. It requires researchers to either sign an NDA (non-disclosure agreement) with Intel as well as not disclose their findings or communicate with any other person or entity other than authorized personnel at Intel. Intel says that this gives them the chance to address the issues before hackers have time to design and spread malware that exploit the vulnerability.
VU Amsterdam forced Intel to disclose the vulnerability on the 14th or the university would publish the information themselves. The researchers are quoted as saying, “If it were up to Intel, they would have wanted to wait another six months”.