this post was submitted on 14 Jun 2026
857 points (98.7% liked)

Technology

85515 readers
4276 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
857
AMD denies researcher a $10,000 bug bounty after fixing critical auto-updater vulnerability — security flaw took 124 days to patch (www.tomshardware.com)
submitted 3 days ago by sanitation@lemmy.today to c/technology@lemmy.world
94 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] isekaihero@ani.social 60 points 2 days ago (5 children)

The obvious solution to this is to not seek the bug bounty. The next time a critical security vulnerability is found, sell it to the highest bidder. I'm sure there are black hats out there willing to pay the money that the megacorp refuses to pay out.

[–] riko@lemmy.world 22 points 2 days ago

That is essentially the behavior AMD is incentivizing here.

[–] rumba@lemmy.zip 8 points 2 days ago

The updated post contains the full story, and it goes as follows: Back in February, when AMD asked Paul to bring down the blog post temporarily, the company said it would issue a standard CVE, fix the software, and attribute the findings to him, though a bounty payment was out of the question. Paul agreed (a decision he now regrets), though he asked what kind of timeline AMD would follow, suggesting the industry-standard 90-day window until he posted the public disclosure again.

AMD replied saying that it would "likely need a longer embargo, as additional tools beyond Ryzen Master appear[ed] to be impacted and [would] need releases." That was an interesting statement in several ways: first, it raises the question exactly why AMD would need so long to publish what was seemingly a one-character fix, replacing "http" with "https" in the code. Second, if the issue was bad enough to require so long to solve, then arguably Paul's work would merit some recompense. Third, as Paul pointed out, if this issue looked this pressing, why didn't it have a higher priority?

Nevertheless, he ended up agreeing on a 100-day window, and asked AMD the equivalent of "wassup?" before the clock ticked its last tock, only to be asked for extra time again, being told that "multiple tools are affected by [the bug]", and that "[AMD's] customers request additional time once [the fixes] are made available." Eventually, AMD reached out stating that a fix would be ready on June 9, totaling 124 days after the initial finding.

"the company said it would issue a standard CVE, fix the software, and attribute the findings to him, though a bounty payment was out of the question."

Nah, they should pay him...

[–] Jason2357@lemmy.ca 15 points 2 days ago

I feel for people wanting to be security researchers with a conscience. They used to get thrown in jail or hit with lawsuits. Things progressed to where they could get a tiny fraction of the black market value as a bug bounty, and possibly even make a basic living doing that, but we are probably headed back in the other direction.

Meanwhile, black hats are sitting in a resort pool somewhere spending the half million some authoritarian regime paid them for a simmilar exploit, trying to drink enough all-inclusive booze to avoid thinking of the people getting their fingernails pried off in some goulag after getting exposed via said exploit.

[–] solidheron@sh.itjust.works 6 points 2 days ago (1 children)

Well shiiiiiiiiiit balls.

I was thinking just pay the 10k amd

[–] innermachine@lemmy.world 7 points 2 days ago (2 children)

For those that don't read the article - Paul AGREED to no payment, and later regret it. Why should amd pay? They made it clear their policy doesn't cover MITM attacks and so there is no bounty available for this vulnerability. Amd had and has no obligation to make the pay out, ESPECIALLY when the researcher agreed to no pay out!

[–] solidheron@sh.itjust.works 3 points 2 days ago

Damn that might make me read the article

[–] rumba@lemmy.zip 1 points 2 days ago (1 children)

They told him that paying him was out of the question and he said ohhh

They can fucking pay him.

[–] innermachine@lemmy.world -1 points 2 days ago (1 children)

Reading comprehension not your strong suit? Or just raging on the title without clicking the link?

[–] rumba@lemmy.zip 0 points 1 day ago (1 children)

Hey troll, that's from the fucking link. go read it yourself. and welcome to my blocklist

[–] innermachine@lemmy.world 0 points 1 day ago

Hey 🤡 did u read the part where AMD doesn't offer reward for MITM attacks? And that this vulnerability could not be exploited? Think I give a fuck if I'm on ur block list? Keep isolating urself in ur own little echo chamber buddy like I give a fuck 😂

[–] Impractical_Island@lemmy.world 2 points 2 days ago

How do you KNOW the CIA wasn't paying for that bug to be prolonged?

Same question about epistemology: how do you KNOW God is/isn't real? How do you know this isn't a simulation with a system administrator who can supplant causation that is capable of being proven scientifically?

You live in a police state. The CIA routinely breaks the law for purposes they deem necessary. It's a possibility they were exploiting the bug for their purposes. This is the reality we live in. But this gets dismissed by charismatic figures in the news so the average person never truly considers it. Operation Mockingbird was FIFTY years ago, proving the agency is not just lying to the American public but actively breaking the law to do so. Why not this?