Intel is a sponsor of TechSpective
There is no such thing as perfect when it comes to technology. When you’re dealing with millions of lines of code and an evolving attack ecosystem, it’s inevitable that bugs will be found. What’s important is for vendors to acknowledge this reality and work to proactively identify and resolve issues rather than just hoping nobody finds the flaws or ignoring the issue entirely. The latest report from Intel Product Assurance and Security (IPAS) illustrates the effort that Intel is investing in this area and sets an example for transparency that other companies should follow.
2019 Product Security Report
The Foreword to the 2019 Product Security Report from the IPAS team explains:
“Long before we made our Security First pledge, Intel has had a systematic approach to addressing product vulnerability reports whether found by the external research community or found internally by Intel employees. It is, and has been, our goal to assign Common Vulnerability and Exposures (CVE) identification numbers to product vulnerabilities across tens of thousands of products, and assist our customers in risk analysis by publishing security advisories to the Intel Security Center.”
There are a number of interesting findings in the 2019 Product Security Report:
- 61% of CVEs addressed in 2019 were found internally through Intel’s research efforts
- Of the 92 externally reported vulnerabilities, 76% were reported through Intel’s Bug Bounty program
- 91% of vulnerabilities addressed were the direct result of Intel’s investment in ongoing product assurance (internal research of bug bounties)
- 61% of High severity vulnerabilities and 75% of Critical severity vulnerabilities were found internally by Intel
- 11 CPU issues were addressed in 2019
A Focus on Security First
The key findings are solid in and of themselves, but there are a few elements that deserve emphasis. Most vendors will respond and take action when a bug is identified and reported to them. Many even have bug bounty programs in place to encourage third-party security researchers to seek out and report those flaws. That is certainly better than ignoring the issue but based on the data in the Intel report it also falls very short.
Intel addressed 236 CVEs in 2019. According to the report, 144 of those were discovered and reported through internal processes and red team exercises. That is a significant number. It means that if Intel relied solely on external researchers and bug bounty programs it may have missed nearly two-thirds of the vulnerabilities resolved in 2019.
This is where the transparency from Intel is very valuable. Intel could just report on vulnerabilities discovered by external researchers, and it would paint a different picture. Other vendors may have similar internal processes and exercises that help them identify and mitigate flaws, but those efforts are not disclosed publicly. Assuming they do, it creates a false image of the overall security posture.
I had an opportunity to speak with Jerry Bryant, Director of Communications in the Intel Product Assurance and Security, about the report and Intel’s approach to security. Bryant stressed that this level of transparency is not common in the industry among hardware and software vendors. He explained, “We share the report with our biggest customers and they often comment that it provides a level of transparency they appreciate from their vendors—and that it’s a level they strive for in their own efforts.”
The report breaks down the data in various ways that provide some understanding of where the most issues occur and the severity of those vulnerabilities. For example, most people think of Intel primarily as a hardware vendor—producing CPUs. Only 13 of the CVEs addressed in 2019 were related to hardware, though. 112 were software, 59 were firmware, and 52 were a combination of software and firmware.
It’s also worth noting that half of the CVEs were ranked as Medium in severity. There were 33 Low, 81, High, and only 4 rated as Critical.
I won’t spoil the whole thing for you. The bottom line is that Intel has invested significantly in delivering on its Security First pledge and this report sets an example for how vendors should approach transparency. Check out the full report for more details: 2019 Intel Product Security Report.