"AMD was given so little notice, it can’t even state if the attacks are valid or not. The company’s statement reads: “At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings.”
Good security firms don’t put users at risk by launching zero-day broadsides against companies when the security flaws in question could take months to resolve. Good security firms don’t engage in rampant scareism. Good security firms don’t use websites like “AMDFlaws” to communicate technical information, any more than they’d use “IntelSecuritySucks” to communicate security flaws related to Spectre, Meltdown, or the Intel Management Engine. Good security firms do not draw conclusions; they convey information and necessary context."
"We aren’t the only site to notice. There’s a notification on CTS-Labs site that it may have a financial interest in the companies it investigates (shorting AMD stock is practically a pastime in financial circles). Other security researchers have absolutely trashed the manner in which the findings were communicated, the likely financial entanglements, and the way the brief has been communicated."
CTS-Labs has acknowledged to Reuters that it shares its research with companies that pay for the data and that it’s a firm with just six employees. Meanwhile, Viceroy Research, a short-seller firm, has published a 25-page “obituary” for AMD based on this data in which it declares AMD is worth $0.00 and believes no one should purchase AMD products on any basis, for any reason whatsoever. It also predicts AMD will be forced to file for bankruptcy on the basis of this “report.”
We stand by what we said regarding the flaws themselves — we’ll wait to hear from AMD on how that shakes out and what the risks are — but the actual reporting of the flaws appears to have been done in profound bad faith and with an eye towards enriching a very particular set of clients. ExtremeTech denounces, in the strongest possible terms, this scheme’s apparent perversion of the security flaw disclosure process.