An Intel spokesman wouldn’t detail who the company had informed, but said that the company couldn’t notify everyone (including US officials) in time because Meltdown and Spectre had been revealed early. Lenovo said the information was protected by a non-disclosure agreement. Alibaba has suggested that any accusasions of sharing info with the Chinese government was “speculative and baseless,” but this doesn’t rule out officials intercepting details without Alibaba’s knowledge.
There’s no immediate evidence to suggest that China has taken advantage of the flaws, but that’s not the point — it’s that the US government could have helped coordinate disclosures to ensure that enough companies had fixes in place. Big names like Apple, Amazon, Google and Microsoft were ready relatively quickly, but most everyone else was left racing to fix or mitigate the flaws. That could have led to attacks on vendors that weren’t in the early list, but were still running critical systems.
Intel is between a rock and a hard place in situations like this. There’s no question that it has to notify partners, but it also has to limit those notifications to minimize leaks before patches are ready. The issue, as you might guess, is that the company didn’t appear to have accounted for the cyberwarfare implications of who it notified first.