newscts labs defends its public disclosure of amd vulnerabilities

CTS Labs defends its public disclosure of AMD vulnerabilities

CTS Labs has received scrutiny this week for its decision to publicize the flaws it claims to have located in AMD's chipsets and Secure Processor architecture rather than pursue the traditional responsible vulnerability disclosure model. Security researchers typically contact the manufacturer of the vulnerable technology and give the company or companies 30-90 days to create and distribute fixes. In a public letter, CTS Labs' CTO Ilia Luk-Zilberman describes how he takes issue with the traditional model, and how the group of researchers decided the best course of action was to make the public immediately aware of the alleged flaws but withhold the technical details.

Luk-Zilberman says his group was researching security problems with ASMedia's ASM1042, ASM1142, and ASM1143 USB 3.0 and USB 3.1 controller chips when AMD announced that it would work closely with Asmedia on chipsets for its AM4 platform. CTS Labs then turned its attention to AMD's chipsets and Secure Processor, and according to Luk-Zilberman, the group discovered new vulnerabilities about "once a week."

The author then describes CTS' motivations to publish its findings immediately rather than providing ASMedia and AMD several weeks to work on fixing the problems. His primary argument is that public disclosure forces the vendor to begin work on mitigating the flaws immediately. Luk-Zilberman concludes the letter by saying that his group could have provided its proof-of-concept code to more than one party (in this case, Dan Guido from Trail of Bits) before making its claims public.

Joel Hruska at ExtremeTech took issue with Luk-Zilberman's methods, noting that many Intel motherboards and standalone cards produced over the last six years have been host to the same ASMedia USB controllers that CTS Labs claims to have exploited. Hruska points out that the researchers didn't publish an Intel-specific advisory about those parts. Furthermore, he notes that CTS chose to create a website called and not or, even though motherboards for both chipmaker's CPUs could share some of the same security issues.

In our view, the responsible-disclosure model isn't perfect, but it's been shown time and again that it offers end-users the highest-possible level of protection from security flaws discovered after products are already in the field. CTS Labs' methods may hasten AMD's efforts to correct problems, but could result in public exploits before the company is able to create and distribute an effective fix. The appearance of coordination between CTS Labs and suspected short-seller Viceroy Researcher also casts suspicion on the group's motives and methods.

Wayne Manion

Latest News

deelance 5
Blog, Crypto News, News

DeeLance Price Prediction – This Web 3.0 Decentralized Freelancer Project’s Presale Will Explode!

Blog, Crypto News

The 6 Best Cryptos To Buy On Presale This Week!

The crypto market is a trading ground for thousands of coins ready to deliver excellent use cases and gains to their investors. Despite the past year’s bearish storm, the market...

ecoterra presale
Blog, Crypto News, News

5 reasons Brand New Green Crypto, Ecoterra Will Explode on Presale!

Pollution has reached critical levels, and it is more than obvious that something must be done. However, it is not enough to tell people they must do something because that...

As you move your SMB profitability to the next level, project management software can help meet your specific needs. Here's a quick overview.
Software News

How to Choose Project Management Software for a Small Business

Tor’s Lookalike Loots $400k in Crypto

Tor’s Lookalike Loots $400k in Crypto

Microsoft Starts Running Ads in Its New AI-Powered Bing Chat

Microsoft Starts Running Ads in Its New AI-Powered Bing Chat

TamaDoge Run
Blog, Crypto News, Gaming News, News

Tamadoge Release Details of 5th Arcade Game – Tama Run!