Wait... You would prefer 3rd party disclosure because it forces accountability? Ok I get that but...
AMD has never been known to hide vulnerabilities. Intel has, even nVidia has but I don't recall AMD doing it.
How do you know? Again, for all I know, AMD could've sat on this issue for years after discovering it. Unless we have access to AMD's company emails and whatnot or someone breaks NDA and leaks such, we won't ever know.
Also you don't want to expose a vulnerability before a game plan is in place to either fix it or find a way to mitigate it from being useful. So it's in AMD's best interest to
not disclose vulnerabilities right away. Also consider a lot of high-profile vulnerabilities tend to require a series of steps that don't make it practical for a script kiddie to exploit, so while the damage is high if they are exploited, the risk of someone actually finding that vulnerability is low. And because the risk of exploitation on a coincidence is low, it's likely that vulnerability won't be addressed until the "lower hanging fruit" is taken care of first.
Does the PSP need a 3rd party audit? From what I understand people want these audits because they think the NSA has placed backdoors in PSP & (Intel)ME but it's entirely based on... nothing. It's more likely that they won't let a 3rd party do an audit because of potential abuse by people who work for said 3rd party.
Yes, all security measures, be it computers or otherwise, needs someone else to take a look at it to actually verify that it's as secure as the first party says it is. Because again, for all we know, AMD discovered something years ago and is simply sitting on it.
As an example in something semi-releated, if you develop software, you should have other people testing your software. Chances are you haven't considered corner cases because you were fixated on a select series of use cases. When other people test your software, they have a fresh perspective and will inadvertantly try things you didn't think of.
I really doubt there is an NSA backdoor. Wouldn't you be able to monitor for such a thing via router logs? Plus I really doubt that they would need a backdoor. There are so many ways into a system that it doesn't make much sense for Intel and AMD to open themselves up to being sued into oblivion...
Having a third party audit isn't about checking for NSA backdoors or whatever. It's just checking to make sure the thing is as secure as first party claims it is.
Any vulnerability is potentially a backdoor.
This is why open source software tends to be more secure than closed source software: a lot of eyes are looking at the code to make sure it works the way the author intended it to work. What you shouldn't keep secret is how the security works, because it doesn't really work. The only thing you need to keep secret is the actual secret.
Even if the flaws were discovered by a 3rd-party, most 3rd-parties would follow "responsible disclosure" rules by telling AMD first and not go public until AMD has a fix, so you'd still end up with AMD sitting on bugs for a possibly very long time before either having a fix or declaring it wontfix.
"Responsible disclosure" also has a time limit in order to force accountability on the creator of the thing, otherwise, what's the point? For example, Google's security team gives 90 days to address the problem before disclosing it.
Facebook
Twitter
Instagram