Intel’s Security Potshot at AMD

Intel has reported a combined 39% year-on-year decline in hardware and firmware vulnerabilities during 2023 and claimed that this was 67% fewer than platform firmware issues reported by its arch rival AMD. These findings are part of the company’s Product Security Report for 2023 that was released recently. 

The report said that Intel addressed 353 vulnerabilities during 2023 of which 256 were in software, including application, drivers, toolkits, SDKs, and utilities. Eighty-seven were discovered in firmware including platform firmware, wireless and FPGA components, Intel NUC, SSDs, server boards,and other products. The remaining ten vulnerabilities were classified as hardware, 8 of which affected CPUs, with the other 2 affecting Intel Arc graphics cards.

The report claimed that 94% of the vulnerability disclosures were attributed to product security assurance efforts in 2023, which was largely governed by a growing bug bounty program. The company said that they either found these issues internally or incentivized external contributors to study and submit such issues. 

Intel says it had a record number of 256 researchers working on the bug bounty program, which stood at 181 in 2022. In addition it launched the Project Circuit Breaker program that seeks to build a community of ethical hackers around Intel’s tech and also train those who may otherwise have focused on software to hunt for bugs on hardware. 

However, that’s not the clinching argument

The company appeared to be taking potshots at its rival AMD through a section on Intel-AMD competitive vulnerability analysis. In this, the report said AMD had thrice the number of platform firmware vulnerabilities compared with Intel during 2023. For the uninitiated, platform firmware is firmware that maps to silicon and generally ships as part of a CPU. 

It also claimed that AMD had reported more than 3.5 times as many vulnerabilities as its Chain of Trust Boot firmware components and features compared with Intel. Also, AMD had 2.5 times more vulnerabilities in confidential computing firmware components and features as against those of Intel, which had 79% of them. 

Of course, Intel argues that higher vulnerabilities do not necessarily mean less security of a product. It only serves as a limited indicator of product security assurance practice, says the company while noting that Intel invested in this area starting 2006. It is another matter that AMD actually started disclosing internally located vulnerabilities only in 2022. 

Intel had commissioned a study by ABI Research1 to evaluate the product assurance practices of leading tech vendors including AMD, Nvidia, Qualcomm and Intel among others. The idea was to obviously showcase their thought leading position in the market in the area of transparency and disclosures around vulnerabilities.