The obvious solution to this is to not seek the bug bounty. The next time a critical security vulnerability is found, sell it to the highest bidder. I'm sure there are black hats out there willing to pay the money that the megacorp refuses to pay out.
this post was submitted on 14 Jun 2026
867 points (98.8% liked)
Technology
85619 readers
3178 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 3 years ago
MODERATORS
That is essentially the behavior AMD is incentivizing here.
I feel for people wanting to be security researchers with a conscience. They used to get thrown in jail or hit with lawsuits. Things progressed to where they could get a tiny fraction of the black market value as a bug bounty, and possibly even make a basic living doing that, but we are probably headed back in the other direction.
Meanwhile, black hats are sitting in a resort pool somewhere spending the half million some authoritarian regime paid them for a simmilar exploit, trying to drink enough all-inclusive booze to avoid thinking of the people getting their fingernails pried off in some goulag after getting exposed via said exploit.
The updated post contains the full story, and it goes as follows: Back in February, when AMD asked Paul to bring down the blog post temporarily, the company said it would issue a standard CVE, fix the software, and attribute the findings to him, though a bounty payment was out of the question. Paul agreed (a decision he now regrets), though he asked what kind of timeline AMD would follow, suggesting the industry-standard 90-day window until he posted the public disclosure again.
AMD replied saying that it would "likely need a longer embargo, as additional tools beyond Ryzen Master appear[ed] to be impacted and [would] need releases." That was an interesting statement in several ways: first, it raises the question exactly why AMD would need so long to publish what was seemingly a one-character fix, replacing "http" with "https" in the code. Second, if the issue was bad enough to require so long to solve, then arguably Paul's work would merit some recompense. Third, as Paul pointed out, if this issue looked this pressing, why didn't it have a higher priority?
Nevertheless, he ended up agreeing on a 100-day window, and asked AMD the equivalent of "wassup?" before the clock ticked its last tock, only to be asked for extra time again, being told that "multiple tools are affected by [the bug]", and that "[AMD's] customers request additional time once [the fixes] are made available." Eventually, AMD reached out stating that a fix would be ready on June 9, totaling 124 days after the initial finding.
"the company said it would issue a standard CVE, fix the software, and attribute the findings to him, though a bounty payment was out of the question."
Nah, they should pay him...
Well shiiiiiiiiiit balls.
I was thinking just pay the 10k amd
For those that don't read the article - Paul AGREED to no payment, and later regret it. Why should amd pay? They made it clear their policy doesn't cover MITM attacks and so there is no bounty available for this vulnerability. Amd had and has no obligation to make the pay out, ESPECIALLY when the researcher agreed to no pay out!
Damn that might make me read the article
They told him that paying him was out of the question and he said ohhh
They can fucking pay him.
Reading comprehension not your strong suit? Or just raging on the title without clicking the link?
Hey troll, that's from the fucking link. go read it yourself. and welcome to my blocklist
Hey 🤡 did u read the part where AMD doesn't offer reward for MITM attacks? And that this vulnerability could not be exploited? Think I give a fuck if I'm on ur block list? Keep isolating urself in ur own little echo chamber buddy like I give a fuck 😂
How do you KNOW the CIA wasn't paying for that bug to be prolonged?
Same question about epistemology: how do you KNOW God is/isn't real? How do you know this isn't a simulation with a system administrator who can supplant causation that is capable of being proven scientifically?
You live in a police state. The CIA routinely breaks the law for purposes they deem necessary. It's a possibility they were exploiting the bug for their purposes. This is the reality we live in. But this gets dismissed by charismatic figures in the news so the average person never truly considers it. Operation Mockingbird was FIFTY years ago, proving the agency is not just lying to the American public but actively breaking the law to do so. Why not this?
Another proof mega corporations are the equivalent of a selfish sociopath, unreliable, can't be trusted and must be kept under scrutiny at all times
The impulsive guy in me is thinking that I should cancel AMD over something like this while the rational one remembers that (at least for non-Apple PCs) it's basically a duopoly and if I cancel the other player over something stupid that they do, I'd be out of choices.
What do you guys think?
Buy used, compensate for the loss in power with algorithmic ingenuity, yadda yadda.
Also, if you can do the thing the app does on paper, you should just do it on paper and can save the computer for more difficult tasks like the old-timers that paved the way for our modern-day laziness.
Use the public library, also.
I dunno, man. Seems like all the convenient options at this point require you to capitulate to some asshole trying to jack up prices and deny payouts, and the only option now is to take high roads that are unpaved.
Buy used
This right here. If people trusted each other more and maintained their stuff more, companies would starve.
But no. Instead people treat their belongings like disposable trash, and trillionaires take advantage of it.
It's our fucking fault. All our fault.
My problem with buying used is that some things barely survive the warranty period, so if I can get those two years of warranty, I will. I usually aim towards buying the latest thing and using it for at least 3-4 years for the things that go old the fastest (CPUs, mobos, RAM, GPUs). Other things might last longer - i.e. I just retired a case and a PSU that are 10+ years old (bought new).
I somewhat agree with your sentiment, but indeed it seems like the more we want to vote with our wallets, the further we stray from practicality.
Honestly? Fuck technology. I'm probably just in a bad mood, but that's how I feel right now. Get rid of all of it. If you can't figure it out on an abacus, you don't really need to know it!
Algorism outpaced the abacus for a reason, and the slide rule outpaced algorism for a reason as well, but they're all good skills to have some practice with. Have you ever had to do long division on an abacus? It ain't pretty.
If you can’t figure it out on an abacus, you don’t really need to know it!
Long division is out, then, sorry long division stans!
Same. Unless I live like a hermit in the woods, I am definitely using, directly or not, something (many things) made by a company that has done unforgivable shit. And even if I personally decide "to hell with all this, I can survive just fine", who will be there to stop them from destroying the whole forest I am supposedly in? Definitely not me
This does not make things all right as they stand, but it does mean quitting the game is not an option
Do yourself a favor and actually read the article. Not saying AMD is in the right here, but they aren't in the wrong for not paying Paul when he agreed to no pay out.
Excellent way to encourage responsible disclosure.
/s
They should ask Microsoft about those current troubles.
load more comments
(1 replies)
I guess nobody's reporting security issues to AMD anymore then. Have fun guys.
load more comments
(1 replies)
Does AMD want their own Nightmare-Eclipse or what. And that researcher went rogue because MS has the habit to not credit researchers and claiming that vulnerabilities are not vulnerabilities while quietly fixing them.
load more comments
(1 replies)
Y'all really need to read past the headline:
the bug that Paul found seemingly wouldn't be triggered anyway, as the relevant section of the code wasn't being called to begin with
Pretty sure ur the only commentator here that actually opened the link LMFAO
I guess it's one of those "justifiable but unwise" sort of things. If your company is doing a bug bounty program to stay on top of security vulnerabilities, what you don't want is to create the perception that the work of devs who look for these vulnerabilities isn't appreciated, for example, by skimping on bounties over technicalities.
Paying the 10k doesn't ruin the company and allows them to fix a section of code that may become a vulnerability in the future. Not paying the 10k saves them 10k at the price of the devs' trust that keeps this program effective. From a financial point of view, this is some very poor decision making.
load more comments
(5 replies)
load more comments
(5 replies)
Bye bye responsible disclosure, hello actively exploited 0days.
Researcher commenting on the patch:
he remarks that the software only checks the validity of the downloaded file using the ancient CRC32 hash that isn't considered cryptographically secure anymore
I have to respect the researcher for his incredibly charitable wording here. CRC32 is not even remotely crypto. That's never been its purpose, and using it for digital signing is patently insane!
I fear I would have had a much shorter temper after what he's been through, and yet here he is keeping his cool and his criticism constructive. Good on him.
load more comments
(7 replies)
Holy crap. I'd say not to buy AMD if you value your security (i have an AMD CPU and the Deck too). You already know the next vulnerability they're going to be the last ones to find out. In the news, probably.
AMD now with their security stuff and Intel with the crashing and quick degradation stuff a while ago. Sigh.
load more comments
(1 replies)
load more comments
(24 replies)
The woman in the stock photo looks like she's about to pilot an X-Wing.
view more: next ›