The obvious solution to this is to not seek the bug bounty. The next time a critical security vulnerability is found, sell it to the highest bidder. I'm sure there are black hats out there willing to pay the money that the megacorp refuses to pay out.
this post was submitted on 14 Jun 2026
857 points (98.7% liked)
Technology
85494 readers
4362 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 3 years ago
MODERATORS
That is essentially the behavior AMD is incentivizing here.
The updated post contains the full story, and it goes as follows: Back in February, when AMD asked Paul to bring down the blog post temporarily, the company said it would issue a standard CVE, fix the software, and attribute the findings to him, though a bounty payment was out of the question. Paul agreed (a decision he now regrets), though he asked what kind of timeline AMD would follow, suggesting the industry-standard 90-day window until he posted the public disclosure again.
AMD replied saying that it would "likely need a longer embargo, as additional tools beyond Ryzen Master appear[ed] to be impacted and [would] need releases." That was an interesting statement in several ways: first, it raises the question exactly why AMD would need so long to publish what was seemingly a one-character fix, replacing "http" with "https" in the code. Second, if the issue was bad enough to require so long to solve, then arguably Paul's work would merit some recompense. Third, as Paul pointed out, if this issue looked this pressing, why didn't it have a higher priority?
Nevertheless, he ended up agreeing on a 100-day window, and asked AMD the equivalent of "wassup?" before the clock ticked its last tock, only to be asked for extra time again, being told that "multiple tools are affected by [the bug]", and that "[AMD's] customers request additional time once [the fixes] are made available." Eventually, AMD reached out stating that a fix would be ready on June 9, totaling 124 days after the initial finding.
"the company said it would issue a standard CVE, fix the software, and attribute the findings to him, though a bounty payment was out of the question."
Nah, they should pay him...
I feel for people wanting to be security researchers with a conscience. They used to get thrown in jail or hit with lawsuits. Things progressed to where they could get a tiny fraction of the black market value as a bug bounty, and possibly even make a basic living doing that, but we are probably headed back in the other direction.
Meanwhile, black hats are sitting in a resort pool somewhere spending the half million some authoritarian regime paid them for a simmilar exploit, trying to drink enough all-inclusive booze to avoid thinking of the people getting their fingernails pried off in some goulag after getting exposed via said exploit.
Well shiiiiiiiiiit balls.
I was thinking just pay the 10k amd
For those that don't read the article - Paul AGREED to no payment, and later regret it. Why should amd pay? They made it clear their policy doesn't cover MITM attacks and so there is no bounty available for this vulnerability. Amd had and has no obligation to make the pay out, ESPECIALLY when the researcher agreed to no pay out!
Damn that might make me read the article
load more comments
(4 replies)
How do you KNOW the CIA wasn't paying for that bug to be prolonged?
Same question about epistemology: how do you KNOW God is/isn't real? How do you know this isn't a simulation with a system administrator who can supplant causation that is capable of being proven scientifically?
You live in a police state. The CIA routinely breaks the law for purposes they deem necessary. It's a possibility they were exploiting the bug for their purposes. This is the reality we live in. But this gets dismissed by charismatic figures in the news so the average person never truly considers it. Operation Mockingbird was FIFTY years ago, proving the agency is not just lying to the American public but actively breaking the law to do so. Why not this?
Another proof mega corporations are the equivalent of a selfish sociopath, unreliable, can't be trusted and must be kept under scrutiny at all times
Bye bye responsible disclosure, hello actively exploited 0days.
I guess nobody's reporting security issues to AMD anymore then. Have fun guys.
Instead, report the security issues to malicios third parties who pay more than AMD.
The impulsive guy in me is thinking that I should cancel AMD over something like this while the rational one remembers that (at least for non-Apple PCs) it's basically a duopoly and if I cancel the other player over something stupid that they do, I'd be out of choices.
What do you guys think?
Buy used, compensate for the loss in power with algorithmic ingenuity, yadda yadda.
Also, if you can do the thing the app does on paper, you should just do it on paper and can save the computer for more difficult tasks like the old-timers that paved the way for our modern-day laziness.
Use the public library, also.
I dunno, man. Seems like all the convenient options at this point require you to capitulate to some asshole trying to jack up prices and deny payouts, and the only option now is to take high roads that are unpaved.
Buy used
This right here. If people trusted each other more and maintained their stuff more, companies would starve.
But no. Instead people treat their belongings like disposable trash, and trillionaires take advantage of it.
It's our fucking fault. All our fault.
My problem with buying used is that some things barely survive the warranty period, so if I can get those two years of warranty, I will. I usually aim towards buying the latest thing and using it for at least 3-4 years for the things that go old the fastest (CPUs, mobos, RAM, GPUs). Other things might last longer - i.e. I just retired a case and a PSU that are 10+ years old (bought new).
I somewhat agree with your sentiment, but indeed it seems like the more we want to vote with our wallets, the further we stray from practicality.
Honestly? Fuck technology. I'm probably just in a bad mood, but that's how I feel right now. Get rid of all of it. If you can't figure it out on an abacus, you don't really need to know it!
Algorism outpaced the abacus for a reason, and the slide rule outpaced algorism for a reason as well, but they're all good skills to have some practice with. Have you ever had to do long division on an abacus? It ain't pretty.
If you can’t figure it out on an abacus, you don’t really need to know it!
Long division is out, then, sorry long division stans!
Do yourself a favor and actually read the article. Not saying AMD is in the right here, but they aren't in the wrong for not paying Paul when he agreed to no pay out.
Same. Unless I live like a hermit in the woods, I am definitely using, directly or not, something (many things) made by a company that has done unforgivable shit. And even if I personally decide "to hell with all this, I can survive just fine", who will be there to stop them from destroying the whole forest I am supposedly in? Definitely not me
This does not make things all right as they stand, but it does mean quitting the game is not an option
Excellent way to encourage responsible disclosure.
/s
They should ask Microsoft about those current troubles.
Either you pay bug bounties, or crypto locker ransoms.
Does AMD want their own Nightmare-Eclipse or what. And that researcher went rogue because MS has the habit to not credit researchers and claiming that vulnerabilities are not vulnerabilities while quietly fixing them.
They could have worse. The extreme geeks who worked as engineers for AMD pushed to open source their firmware, PSP, everything at one point.
Can you imagine Nightmare but with PSP or Intel ME? It would be EPYC™
Every major company is fucking evil
And stupid
We let the psychopaths get their way
Psychopaths naturally rise to the top in environments like large corporations, because of their ability to manipulate people and not give a fuck about hurting others.
Yep stabbing your way to the top is the fastest way
load more comments
(6 replies)
Y'all really need to read past the headline:
the bug that Paul found seemingly wouldn't be triggered anyway, as the relevant section of the code wasn't being called to begin with
If it's in the code, it's a bug. If it's not used, then remove it entirely. Everything in the code should be treated as operational.
ding ding ding!
no, don't comment it out.
no, don't soft-block it.
no, don't not call it.
just fucking delete it.
I guess it's one of those "justifiable but unwise" sort of things. If your company is doing a bug bounty program to stay on top of security vulnerabilities, what you don't want is to create the perception that the work of devs who look for these vulnerabilities isn't appreciated, for example, by skimping on bounties over technicalities.
Paying the 10k doesn't ruin the company and allows them to fix a section of code that may become a vulnerability in the future. Not paying the 10k saves them 10k at the price of the devs' trust that keeps this program effective. From a financial point of view, this is some very poor decision making.
It encourages people who find these bugs to use them rather than report them.
load more comments
(3 replies)
Sure however it's still worth calling out click bait headlines and reactionary posters are all being bad actors here in the misinformation spread.
Probably more important as then developers don't back out over being emotionally manipulated by fake bullshit.
Even if it was that simple, this is still a vulnerability that is basically a time bomb. The day that code would have been triggered would have been disastrous.
But this isn't new, bug bounties tend to have terms as strict as they can to deny you the bounty while they obviously end up fixing issues that don't qualify for the bounty. All because of reason X or Y that turns out to be a subjective interpretation of a vague enough eligibility requirement.
Okay, yes, but that's because they had messed up their application enough that the updater itself couldn't be updated, which they presumably discovered in the process of trying to remedy his bug. That is, the flaw he found couldn't actually be exploited only because of a deeper flaw he hadn't found. (Shades of the Sirius Cybernetics Corporation there, whose deep fundamental design flaws were almost totally hidden by their superficial design flaws.) He still led them to a critical vulnerability that took them months to fix.
load more comments
(1 replies)
load more comments
(1 replies)
Researcher commenting on the patch:
he remarks that the software only checks the validity of the downloaded file using the ancient CRC32 hash that isn't considered cryptographically secure anymore
I have to respect the researcher for his incredibly charitable wording here. CRC32 is not even remotely crypto. That's never been its purpose, and using it for digital signing is patently insane!
I fear I would have had a much shorter temper after what he's been through, and yet here he is keeping his cool and his criticism constructive. Good on him.
load more comments
(7 replies)
Holy crap. I'd say not to buy AMD if you value your security (i have an AMD CPU and the Deck too). You already know the next vulnerability they're going to be the last ones to find out. In the news, probably.
AMD now with their security stuff and Intel with the crashing and quick degradation stuff a while ago. Sigh.
load more comments
(1 replies)
load more comments
(24 replies)
The woman in the stock photo looks like she's about to pilot an X-Wing.
view more: next ›