[bcantrill]

NXP knew enough to not ask. To their credit, we got much less runaround on this vulnerability than with the vulnerability that Laura and Rick found a year ago.[0] (It should also be said that what Laura originally sent to them left little room for negotiation about the seriousness.) At some level, NXP seems to appreciate that we're helping them improve their products -- or perhaps they're just afraid of what we'll find next? Either way they were at least marginally better.

So all of that is an improvement, certainly, but it's still not what we need: the source code to the ROMs. We believe emphatically that we need transparency throughout the stack, down to its lowest levels. We need open ROMs, open FPGAs, open ISAs, open firmware -- not just because it's the right thing to do, but because it will result in more secure and more reliable infrastructure!

[0] https://oxide.computer/blog/lpc55

[Aissen]

Aren't you afraid this might get your relationship with this supplier tougher ? Not necessarily with engineers, but if some C-level decides that you're giving them bad publicity and blacklist you or making you pay public price for all products ?

[bcantrill]

No, we're not afraid. Even with the partners that have been a real challenge for us, there is recognition that (1) we know what we're doing and (2) we want them to succeed. It should be said that that's not by accident: we have taken a deliberate, values-based approach to partner selection (and we differentiate between partners and vendors). Specifically, we explicitly look for partners that share our value of responsibility. Indeed, we have written an RFD[0] on the shared values that we seek in a partnership that we send very early on in the relationship; if a C-level doesn't buy into shared responsibility with the fate of their customers, we will find someone who does.

[0] https://oxide.computer/blog/rfd-1-requests-for-discussion