These flaws were discovered by SecureAuth researcher Diego Juarez who has apparently reached out to both companies back in 2017 and earlier this year to inform them of the flaws. Unfortunately despite the multiple warnings, it seems that neither ASUS nor Gigabyte were found to have done much to mitigate the problems.
On ASUS’ end, the company has fixed some of the flaws that were reported, but still have some that were found to be still exploitable despite having told SecureAuth that they had been addressed. Gigabyte on the other hand appears to have denied that any of these flaws exist, and a communications log with SecureAuth revealed that.
SecureAuth has since publicly published their findings after determining that enough time had passed from when they warned ASUS and Gigabyte in hopes that this might prompt them to fix it. This is a similar method done by other security researchers who typically give companies time to respond and fix the problem before making it public information.