Intel may have finally acknowledged and publicly addressed the Meltdown and Spectre vulnerabilities, but it appears that the company is now facing some heat over who it contacted first. According to Wall Street Journal’s sources, they claim that Intel initially reached out to a handful of customers about the vulnerabilities, including Chinese tech companies like Lenovo and Alibaba, but failed to first reach out to the US government.
Even though Intel has to reach out to those vendors to coordinate how patches and fixes, the Chinese government routinely monitors conversations between companies and could have theoretically exploited the vulnerabilities before patches were made available to everyone.
An Intel spokesperson didn’t detail who the company reached out to first, but did say that it wasn’t able to notify everyone (which includes US officials) in time because both Spectre and Meltdown were revealed early. Lenovo in its part has said that the information it received was protected by a non-disclosure agreement. Alibaba has said that any accusations of sharing info with the Chinese government are “speculative and baseless,” but it didn’t rule out the possibility of officials intercepting details without their knowledge.
Right now, there’s no immediate evidence to suggest that China took advantage of the flaws, but that’s not the point here. The point here is that the US government wasn’t notified first where they could have helped coordinate disclosures to ensure that enough companies were able to have fixes in place before news of these vulnerabilities spread like wildfire. Big companies like Amazon, Apple, Google and Microsoft were ready fairly quickly, but other companies were scrambling to fix or somehow mitigate the flaws. This provides a big issues because big name companies were ready but at the same time other companies were left to panic and come up with ways fast to try and patch the vulnerabilities.