$10k is nothing to AMD. The middle-management bean counters making these decisions are actively harming their company’s (and user’s security.
AMD changes rules, denies researcher $10,000 bounty after taking 124 days to patch security flaw
Submitted 3 weeks ago by floofloof@lemmy.ca to cybersecurity@infosec.pub
https://www.techspot.com/news/112746-amd-changes-rules-denies-researcher-10000-bounty-after.html
Comments
pulsewidth@lemmy.world 3 weeks ago
bamboo@lemmy.blahaj.zone 3 weeks ago
The flaw of not using HTTPS for the downloads is so basic it’s shocking they didn’t have internal tooling to raise this before it was shipped. I’m not familiar with AMD’s bug bounty policy but they should have at least paid $1337 to the researcher for raising this to them.
WPSteam@lemmy.world 3 weeks ago
Nightmare Eclipse 2.0 incoming. 10K for such a thing is absolutely nothing for companies like AMD. Why promise rewards if at the end, you don’t intend to pay? This has been a growing trend in the bug bounty space. Many times a bug is marked as duplicate and is fixed secretly. Other times, they’re straightaway rejected…
SamuelEllis@lemmy.world 2 weeks ago
It seems ironic that a security flaw remained unpatched for 124 days, during which time the vulnerability was likely exploited by bad actors long before the bounty was denied. This incident highlights a critical gap where financial incentives fail to align with the actual risk timeline, suggesting that automated patching workflows or stricter internal SLAs might be more effective than relying solely on external bounties for timely remediation.
Australis13@fedia.io 3 weeks ago
This is how you create people like Nightmare Eclipse.
These people are going out of their way to responsibly disclose vulnerabilites to the bug bounty programs and being treated poorly as a result. Granted, AMD technically didn't have to pay since it was a MITM attack, but they could have at least handled the whole interaction better.
Onomatopoeia@lemmy.cafe 3 weeks ago
And simply paid they guy out of appreciation.
I generally support the model we’ve had for. Bug disclosure - it’s about preventing zero days which protects the users of these products.
But for AMD stuff now, go ahead and sell your discoveries, let the zero-days ruin AMDs marketing.