A look at the handling of Meltdown and Spectre
A look at the handling of Meltdown and Spectre
Posted Jan 10, 2018 0:57 UTC (Wed) by AdamW (subscriber, #48457)Parent article: A look at the handling of Meltdown and Spectre
But without going into any specifics or anything I don't think I'm allowed to talk about, one significant point I've seen is that this has been a bit of an unprecedented situation.
The disclosure/embargo processes for vulnerabilities that can be addressed at a single point are, by now, pretty mature and well-understood, whatever you think of them, and people in general know how to follow them.
One reason why this one seems to have been a bit of a mess, it seems to be generally agreed, is that this was *not* a single vulnerability that could be addressed in a single piece of software, or by a single vendor. Insofar as there *was* a plan that multiple people/companies agreed on (again, this is just my reading of it), it seems to have involved at least multiple CPU manufacturers, OS vendors (counting commercial Linux distributors in that), cloud providers, hardware suppliers, and even higher-level software vendors, notably browsers. And probably more that I forgot about / don't know about. I rather suspect that the reasons behind some OS vendors/distributors apparently not being involved in the process is simple cock-up rather than conspiracy; I don't think there was a well-run authority somewhere with a Master List of people and companies who ought to get pulled into this, it was all being cooked up ad hoc.
Anyway, even without the ones who got left out, that's a *lot* of people and companies all with their own timeframes and agendas, all involved in a process that's really never happened before. And going by what I've heard, there wasn't really a common understanding beforehand of exactly how such a complex and lengthy embargo process ought to work. It seems to me like everyone had sort of a vague idea, but all the details were getting worked out as things went along.
So that would be an obvious source of confusion, and problems like articles that disclosed or implied the existence of the vulnerabilities getting published, and the mess with the KAISER patch set cluing people in that something was going on.
It seems like some well-intentioned folks are trying to kickstart efforts to try and improve how this sort of problem gets handled in future; let's hope those work out...