Before Spectre and Meltdown were disclosed publicly, very very few security researchers were looking at the CPU level, beyond things like attacks against hardware virtualization functionality, TrustZone and friends, ME, etc. Those bugs had existed for ages and could've been found through thorough examination of the processor manuals, but nobody had really looked too hard there. These new bugs were found independently by many different researchers/groups, simply because their attention was drawn to looking at this stuff for the first time.
> and could've been found through thorough examination of the processor manuals, but nobody had really looked too hard there.
I don't think you're giving enough credit. The actual microarchitecture isn't documented much in those manuals, so looking hard at those wouldn't help without making a series of assumptions of how it all works. The authors of recent exploits have been diligently reverse engineering and making sensible guesses.
this person seems to think that security researchers are the only people looking for vulnerabilities when in fact the people who stand to have significant profits are apt where the vulnerabilities were probably known long before researchers found them
The whole "since they published that it happened, we've had a bunch of disclosures" which is a typical "I don't feel safer when people talk openly about unfixed vulnerabilities" argument.
Err no, no it's not. It's that there's been a ton more attention there. We're no more or less safe than we were before, we simply didn't know about the bugs that were there.
(FYI, I've been a security researcher for 15+ years and work as the head of hacker education for HackerOne; I am very, very pro disclosure. :) )
Another security principle is involved: assume the worst case. If CPU vulnerabilities are a popular subject, they get fixed to some extent: it's much better than letting them be as a tool in the hands of private and government black hat hackers.
