Why didn't they include the reference to the infamous CTS Labs scam when they brought up Ryzenfall, chimera, and fallout bugs and them being register as very high risk.
AMD would've won that category making this comparison a shutout
I'm not sure of the current status of "vulnerabilities" but by the time I stopped reading news about CTS Labs, no reputable security researcher had managed to verify the "vulnerabilities" because CTS Labs refused to release any relevant data pertaining to them. I don't consider Dan Guido to be a reputable security researcher, btw, given that he couldn't even seem to grasp the level of access necessary for exploitation.
Given that CTS Labs failed to disclose these supposed "vulnerabilities" in a proper manor, but instead FIRST released the data to a media outlet well known for attempting stock manipulation schemes, I don't understand why these were even mentioned. CTS Labs, at the time of the disclosure, didn't even employ anyone with a background in hardware or security. Instead, they employed a staff with a background in....financial attacks and stock manipulation. CTS Labs was even founded in February 2018....right before the disclosure of the supposed "vulnerabilities"... "Vulnerabilities" that require direct access to the system, modification of the firmware AND administrator access to be exploited are hardly real vulnerabilities. If someone has direct access to the system, it's already vulnerable anyway.
Just because the motivation for exposing those flaws in the way they did was merely to try to short sell AMD, doesn't mean those vulnerabilities didn't actually exist.
It should have been mentioned, but it wouldn't have changed the "score" imo.
I would say the fact that they required physical access to and modification of the system firmware, means they aren't real vulnerabilities. Also, CTS Labs went to the extent of saying that these "vulnerabilities" can't affect Intel systems, when in fact that would be completely false.
Motivation means everything. It's not hard to conceive security vulnerabilities, then refuse to release the data necessary for "experts" to verify, and still claim they're legitimate.... The only "security researcher" I know of confirming these "vulnerabilities" is Dan Guido, and he supposedly did so without any testing whatsoever and without the actual technical data that would be required to test the vulnerabilities.