Intel, Arm, Microsoft, Amazon and Google are among the major tech firms challenged by US lawmakers over the secrecy surrounding the Spectre and Meltdown CPU flaws.

CEOs of tech firms that kept quiet about the Meltdown and Spectre flaws for half a year are being asked to justify not revealing details of the vulnerabilities more widely.

In a letter, the leaders of the House of Representatives Committee on Energy and Commerce say a number of firms were “caught off guard” when the flaws came to light on January 3rd this year.

These companies have complained of not having enough time to assess the risk of the vulnerabilities and prepare measures to protect themselves, the representatives write.

SEE: Incident response policy (Tech Pro Research)

“While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures,” they write.

The letter references complaints by US cloud firm DigitalOcean, which said it didn’t have enough time to fully understand the possible impact of any Spectre and Meltdown-related attacks.

The politicians also highlight the raft of problems caused by Meltdown and Spectre patches that were rushed out the door, such as the widespread incompatibility of updates with third-party, anti-virus software in Windows.

While the US representatives accept the flaws needed to be kept under wraps while tech firms prepared patches against possible attacks, the letter asks whether the negative impact of restricting knowledge of the flaws to a limited number of companies had been fully considered.

The letter asks why an embargo was imposed after the flaws came to light in June last year, and who proposed it, as well as when the cybersecurity hub CERT/CC was told about the vulnerabilities.

In response to the letter an Intel spokesperson said: “We appreciate the questions from the Energy and Commerce Committee and welcome the opportunity to continue our dialogue with Congress on these important issues. In addition to our recent meetings with legislative staff members, we have been discussing with the committee an in-person briefing, and we look forward to that meeting.”

The concerns over the downsides of keeping the flaws hidden were shared by developers of the Linux kernel, who have said the approach didn’t following the usual technology industry procedures for disclosing flaws.

Microsoft software engineer Jessie Frazelle described the embargo as an “absolute sh*tshow” and said the approach should not be repeated, while the team behind the FreeBSD operating system complained of not having enough time to prepare the necessary patches.

Read more