Note that Google Project Zero published a detailed post on the vulnerabilities at hand before the embargo date. The vulnerabilities are known as Spectre and Meltdown.
This is a general answer, not specific to this vulnerability. An embargo is in practice a gentlepersons' agreement to keep the details of a vulnerability under wraps, while ensuring its tracability (so the appropriate people get credit) and its resolution (by involving the necessary people to get it fixed), for an agreed-upon length of time.
For the kernel specifically, the security process is described here. In particular, it calls for very short embargoes, on the order of a week. Typically though, security response to big issues will be discussed in other venues and might take longer.
The contractual situation varies. Some developers will be bound by relevant clauses in their employment contracts (and contracts between companies, NDAs etc.); others will only be bound by some sort of verbal agreement (or email or whatever). Embargo handling also varies from project to project, and even incident to incident; you'd hope the embargo terms are defined and are made explicit to all participants, but that's not always the case. There is usually an more-or-less formal list of embargo participants (if only the cc list in the various emails), and rules over who is allowed to be pulled in (generally speaking, as few people as possible, but sometimes that's still a lot of people). Ultimately developers are honour-bound, or perhaps more accurately reputation-bound; mess an embargo up and you're less likely to be involved in future embargoes (which might make your work difficult).
I very much doubt there's a formal contract between all the participants in this specific embargo and Intel, except for Intel employees perhaps (where such situations are likely covered by their employment contracts anyway).
You'll find relevant information in a number of places, starting with the distros list "Handling of embargoed information" page.
