AMD denies researcher a $10,000 bug bounty after fixing critical auto-updater vulnerability — security flaw took 124 days to patch
Quis renovatores renovat — who updates the updater?
https://www.tomshardware.com/tech-industry/cyber-security/amd-denies-researcher-a-usd10-000-bug-bounty-after-fixing-critical-auto-updater-vulnerability-security-flaw-took-124-days-to-patchOpen linkView original on lemmy.zip264
Comments23
Haha, oh boy, between AMD and MS, I predict some zero-days in the near future from people like Paul (the researcher here) just selling the exploit.
As they should, it's the only reasonable response to how these companies act.
The whole fragile construct of ethical disclosure sits on people/companies aknowledging it, playing along and not intentionally fucking it up. It is a cherished grape of vine that demonstrates - healthy tendencies do exist in our societies, we can sometimes communicate with each other and pursue a common good in spite of our destructive urges. Refusing to give a symbolical prize incomparable to the cost they could save, AMD and others mishandle the thing they treat as a given while completely unprepared to the state where it's gone, just like a teenager thinking they'd top the game and lose virginity when/if zombie apocalypse happens.
Sounds like everyone should stop reporting vulnerabilities and start selling them 🤷♂️ great work, AMD, there's absolutely no way this relatively small "cost saving" backfires!
Uhh wont that discourage zero day reports?
Worse. It encourages selling them to the black market instead.
The illicit market for newly discovered security vulnerabilities generally pays pretty well, especially if you can demonstrate implementation. The only reason it's not a much bigger problem is that most security researchers have some moral compunctions and the professional desire to fix problems, not proliferate them.
If the companies basically tell the security researchers to pound sand, that encourages making a living elsewhere.
This is why the ISS exists BTW. It was a jobs program for ex-soviet rocket scientists since by definition they're all weapons specialists who just happen to be launching satellites instead of nukes.
These days there's so much slop in the world that 0day reports end up being worthless. The idea is sound, but far too many people are abusing the system and so they're not worth having anymore.
The report is only because there's a 0-day sploit. It's not like some cogsucker can make it up and get paid.
Okay so we'll have to have a neutral third-party confirm them, but really that will have to happen now anyway since no one will trust AMD to pay their promises.
He would have got a lot more than $10,000 on the dark web.
That's sad. I wish AMD would not have done that 😔
AMD also donated to the orange pedo, coz it's good for business.
🤬😡
Care to provide a source, please? And does anyone know if Nvidia did so too? I'm planning to switch to AMD from Nvidia, but if they're both equally lack virtue… shrugs.
https://en.gamegpu.com/news/zhelezo/amd-obvinyayut-v-popytke-obojti-zakony-radi-data-tsentrov
They HAVE to do that, it's a "business" not a voter. Oops, did I say that out loud?
I expect 10k is nothing compared to one of their salaries. I would expect zero days are worth at least an entire salary.
These mofos are about to see why bug bounties exist in the first place
Does anyone see the overlap of Mythos and Silicon Valley tech companies dodging paying for bug bounties?
It's more in a sense that they have been buried with slop of their own creation so they are refusing to payout anyone. Mythos was good PR move for an IPO, but an useless tool in practice. It generated thousands of tickets for smallest non-issues that dev teams have to deal with, but it couldn't even offer actual patches... Security researchers are calling it a great PR scam and I have to agree.
People often ignore the fact that the Silicon Valley Barons have swallowed their own sauce. Silicon Valley has an industry of sycophancy to uphold their narcicism. That means they can also suffer under narcicistic delusion.
Case in point: when Windows 8/10 was released, Microsoft - referred to as Microslop - fired all their QA teams because they believed automated QA testing was just as good. If you wonder why Windows has been so enshitified, there's the real reason. Now they have a refactoring project for Windows that uses SteamOS as a benchmark, because they know they've fucked up.
And of course, the same can be said for the mass firing of developers because they were going to be replaced with AI, only to be hired back to then babysit that AI.
Never forget that narcicists wear the jogging suit and drink deeply from the punch bowl, and they want us all to swallow it with them.
Sounds like AMD needs to be Nightmare Eclipsed.
So what you're saying is they don't want anyone to fix bugs. Got it.