AMD denies researcher a $10,000 bug bounty after fixing critical auto-updater vulnerability — security flaw took 124 days to patch

BrikoX@lemmy.zip · 13 hours ago

AMD denies researcher a $10,000 bug bounty after fixing critical auto-updater vulnerability — security flaw took 124 days to patch

trackball_fetish@lemmy.wtf · 8 hours ago

These mofos are about to see why bug bounties exist in the first place

redparadise [he/him, they/them]@hexbear.net · 5 hours ago

I’m sure there’s absolutely nothing that could go wrong with getting on the bad side of security researchers.

Ledivin@lemmy.world · edit-2 12 hours ago

Sounds like everyone should stop reporting vulnerabilities and start selling them 🤷‍♂️ great work, AMD, there’s absolutely no way this relatively small “cost saving” backfires!

undefinedTruth@lemmy.zip · 8 hours ago

Sounds like AMD needs to be Nightmare Eclipsed.

Onomatopoeia@lemmy.cafe · 12 hours ago

Haha, oh boy, between AMD and MS, I predict some zero-days in the near future from people like Paul (the researcher here) just selling the exploit.

db_null@lemmy.dbzer0.com · 12 hours ago

As they should, it’s the only reasonable response to how these companies act.

TachyonTele@piefed.social · 12 hours ago

Uhh wont that discourage zero day reports?

NaibofTabr@infosec.pub · 11 hours ago

Worse. It encourages selling them to the black market instead.

The illicit market for newly discovered security vulnerabilities generally pays pretty well, especially if you can demonstrate implementation. The only reason it’s not a much bigger problem is that most security researchers have some moral compunctions and the professional desire to fix problems, not proliferate them.

If the companies basically tell the security researchers to pound sand, that encourages making a living elsewhere.

bluGill@fedia.io · 11 hours ago

These days there’s so much slop in the world that 0day reports end up being worthless. The idea is sound, but far too many people are abusing the system and so they’re not worth having anymore.

corsicanguppy@lemmy.ca · 8 hours ago

The report is only because there’s a 0-day sploit. It’s not like some cogsucker can make it up and get paid.

Okay so we’ll have to have a neutral third-party confirm them, but really that will have to happen now anyway since no one will trust AMD to pay their promises.

Luminous5481 "Enemy of the State"@anarchist.nexus · 10 hours ago

if you say so. meanwhile, for anyone who finds them and doesn’t have any morals, the US government will pay you up to a few million dollars depending on how valuable the zero-day is.

twinnie@feddit.uk · 12 hours ago

He would have got a lot more than $10,000 on the dark web.

vatlark@lemmy.world · edit-2 11 hours ago

I expect 10k is nothing compared to one of their salaries. I would expect zero days are worth at least an entire salary.

fraksken@infosec.pub · 12 hours ago

That’s sad. I wish AMD would not have done that 😔

justlemmyin@lemmy.world · 9 hours ago

AMD also donated to the orange pedo, coz it’s good for business.

fraksken@infosec.pub · 8 hours ago

🫩🤬😡

SeeMarkFly@lemmy.ml · 11 hours ago

They HAVE to do that, it’s a “business” not a voter. Oops, did I say that out loud?