The obvious solution to this is to not seek the bug bounty. The next time a critical security vulnerability is found, sell it to the highest bidder. I’m sure there are black hats out there willing to pay the money that the megacorp refuses to pay out.
The updated post contains the full story, and it goes as follows: Back in February, when AMD asked Paul to bring down the blog post temporarily, the company said it would issue a standard CVE, fix the software, and attribute the findings to him, though a bounty payment was out of the question. Paul agreed (a decision he now regrets), though he asked what kind of timeline AMD would follow, suggesting the industry-standard 90-day window until he posted the public disclosure again.
AMD replied saying that it would “likely need a longer embargo, as additional tools beyond Ryzen Master appear[ed] to be impacted and [would] need releases.” That was an interesting statement in several ways: first, it raises the question exactly why AMD would need so long to publish what was seemingly a one-character fix, replacing “http” with “https” in the code. Second, if the issue was bad enough to require so long to solve, then arguably Paul’s work would merit some recompense. Third, as Paul pointed out, if this issue looked this pressing, why didn’t it have a higher priority?
Nevertheless, he ended up agreeing on a 100-day window, and asked AMD the equivalent of “wassup?” before the clock ticked its last tock, only to be asked for extra time again, being told that “multiple tools are affected by [the bug]”, and that “[AMD’s] customers request additional time once [the fixes] are made available.” Eventually, AMD reached out stating that a fix would be ready on June 9, totaling 124 days after the initial finding.
“the company said it would issue a standard CVE, fix the software, and attribute the findings to him, though a bounty payment was out of the question.”
Nah, they should pay him…
That is essentially the behavior AMD is incentivizing here.
I feel for people wanting to be security researchers with a conscience. They used to get thrown in jail or hit with lawsuits. Things progressed to where they could get a tiny fraction of the black market value as a bug bounty, and possibly even make a basic living doing that, but we are probably headed back in the other direction.
Meanwhile, black hats are sitting in a resort pool somewhere spending the half million some authoritarian regime paid them for a simmilar exploit, trying to drink enough all-inclusive booze to avoid thinking of the people getting their fingernails pried off in some goulag after getting exposed via said exploit.
Well shiiiiiiiiiit balls.
I was thinking just pay the 10k amd
For those that don’t read the article - Paul AGREED to no payment, and later regret it. Why should amd pay? They made it clear their policy doesn’t cover MITM attacks and so there is no bounty available for this vulnerability. Amd had and has no obligation to make the pay out, ESPECIALLY when the researcher agreed to no pay out!
They told him that paying him was out of the question and he said ohhh
They can fucking pay him.
Reading comprehension not your strong suit? Or just raging on the title without clicking the link?
Hey troll, that’s from the fucking link. go read it yourself. and welcome to my blocklist
Hey 🤡 did u read the part where AMD doesn’t offer reward for MITM attacks? And that this vulnerability could not be exploited? Think I give a fuck if I’m on ur block list? Keep isolating urself in ur own little echo chamber buddy like I give a fuck 😂
The impulsive guy in me is thinking that I should cancel AMD over something like this while the rational one remembers that (at least for non-Apple PCs) it’s basically a duopoly and if I cancel the other player over something stupid that they do, I’d be out of choices.
What do you guys think?
Do yourself a favor and actually read the article. Not saying AMD is in the right here, but they aren’t in the wrong for not paying Paul when he agreed to no pay out.
Every major company is fucking evil
We let the psychopaths get their way
Psychopaths naturally rise to the top in environments like large corporations, because of their ability to manipulate people and not give a fuck about hurting others.
Yep stabbing your way to the top is the fastest way
Read the article
Are you saying that to yourself? Yes, you should read the article.
I did. That’s how I know you didn’t and just reactionary posted to the title to emotionally manipulate other posters for Updoots.
You’re the evil one here.
At this point, I’m going to assume you’re trolling. I’m moving on and will not respond to any more of your comments.
i expect nothing less from shitty influencers getting called out for shit tactics and slinking away.
Excellent way to encourage responsible disclosure.
/s
Y’all really need to read past the headline:
the bug that Paul found seemingly wouldn’t be triggered anyway, as the relevant section of the code wasn’t being called to begin with
Pretty sure ur the only commentator here that actually opened the link LMFAO
