UPDATE 3/16/18: CTS-Labs has released a letter, explaining its reasons for publicly disclosing the AMD chips flaws before a fix could be prepared.

"I think that the current structure of 'Responsible Disclosure' has a very serious problem," said the security firm's CTO Ilia Luk-Zilberman in the letter.

A security researcher will typically give a vendor between 30 to 90 days to fix a flaw, but during that time the vendor will never warn customers that their systems are vulnerable, he said. "Almost always it's post-factum —'We had problems, here's the patch— no need to worry.'"

"The second problem is —if the vendor doesn't fix it in time— what then? The researcher goes public? With the technical details and exploits? Putting customers at risk?" he added.

Luk-Zilberman said his company's approach was to pressure AMD to fix the flaws by publicly revealing them, but withholding the technical details. Unfortunately, this has created doubts over whether CTS-Labs' findings are real. "And we have been paying that price of disbelief in the past 24h," he added.

Despite the backlash, Luk-Zilberman remains confident in the findings. "Very soon we will have to deal with the fact that a huge company with products spread throughout millions of computers in the world, is riddled with so many problems that it's unclear how to even address this," he said.

Original story: An Israeli security firm may have found 13 security flaws in AMD processors. The problem? It only gave the chipmaker 24 hours to fix the vulnerabilities before making them public.

On Tuesday, CTS-Labs decided to disclose the bugs with a splashy website and stylish graphics to boot. However, the short disclosure time means that AMD itself is still trying to confirm whether the vulnerabilities are real.

"We are investigating this report, which we just received, to understand the methodology and merit of the findings," AMD said in an email.

The situation is certainly not ideal; if real, the vulnerabilities probably have no immediate fix. Why CTS-Lab ignored the standard practice of giving a vendor 90 days to address the flaws isn't known. But the incident raises questions over whether the Israeli security firm had the public's best interest in mind with Tuesday's disclosure.

To be clear, the vulnerabilities may indeed be legit. One respected security researcher Dan Guido has verified the findings, although CTS-Labs did pay him for the work. These vulnerabilities have been found in AMD's Ryzen, EPYC branded chips, which are used in servers, desktops and laptop devices.

The most serious flaw deals with a security protection built into the processors. CTS-Labs claims a bad actor could exploit this vulnerability to permanently install malware on to the chips.

Other flaws can let a hacker move from one compromised computer to another, gain access over the entire system, and execute malicious code. In addition CTS-Labs accused the Ryzen chipsets of being shipped with manufacturer-created backdoors that can let a bad actor inject malware like a keylogger on to the affected computer.

Fortunately, there is some good news. Guido tweeted that all the vulnerabilities require a hacker to first gain administrative privileges (or root access) to the computer. This can be done if the attacker can trick you into installing some malware.

The other piece of good news is that the security firm CTS-Labs decided to redact the technical information around the vulnerabilities. This will help prevent hackers from exploiting the flaws. But on the flip side, outside experts have had no way to quickly reproduce and confirm the findings.

Nevertheless, CTS-Labs did provide full details of the flaws to AMD, Microsoft, Dell, HP, Symantec and other security companies, its co-founder Yaron Luk said in a statement.

"I am very proud of the work our team has done," Luk added. "We have been able to identify critical flaws in processors that could put millions of consumers at risk... We are looking forward to AMD's response to our findings."

CTS-Labs is relatively unknown in the security community and was founded only in 2017. But what's clear is that the firm took some time to develop its slick website about the vulnerabilities, which says CTS-Labs revealed the problems to warn the public. It goes on to claim that AMD may need several months to fix the flaws.

However, that same website also includes a disclaimer that suggests CTS-Labs may stand to benefit financially from the Tuesday's disclosure by betting against AMD's stock.

"We may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports," the disclaimer says. (On the same day, one short seller also published a report, calling the uncovered flaws fatal to AMD's business.)

The whole episode is raising eyebrows across the IT security community. Jon Bottarini, a technical program manager at bug bounty program provider HackerOne, said the incident has been a case study in "what not to do" when it comes to reporting security vulnerabilities.

"Responsible disclosure should be the prime directive for security researchers, and by only allowing AMD 24 hours to respond before CTS-Labs notified the press, CTS stood to do more harm than good," he said in an email.

Others have pointed out that CTS-Labs tried to leverage press coverage to promote the vulnerabilities, even as the flaws have yet to be fully verified and understood.

"The only real public exploit here at the moment is a press exploit. This situation should not be happening," wrote Kevin Beaumont, a UK-based security expert, in a blog post.

Editor's note: This article has been updated with a statement from CTS-Labs.

Further Reading

Processor Reviews