[justin66]

The security guys seem to be converging on a way of managing these - the compensation of the person reporting the bug and the factors motivating vendors to respond to the bug report in a timely fashion or suffer consequences - with bug bounties. Intel should make it easy to report this stuff, but if everyone understood that finding something genuinely interesting resulted in a serious payday, nobody would skip making the call.

The difference between something like Google's bug bounty (capped at over $30k, I think) and a hypothetical bounty for Intel is, well, Intel has a lot more at stake. It's honestly strange that they don't have something in place already. Something like Skylake costs on the order of billions to get out there. It's cool that this Skylake bug was fixable via microcode, but the Pentium FPU bug back in the day cost them half a billion dollars. If such a bug exists, that is the kind of thing Intel should want to have reported as soon as humanly possible. Even the reputational damage they take from something milder like the Skylake bug would justify a bounty system with very serious payouts.