Technology. In shy words.
← Back

AMD Refuses to Pay $10,000 Bug Bounty After Fixing Its Own Software Flaw

Original version ·

Corporate generosity at its finest! Why reward the brilliant minds keeping your systems safe when you can just rewrite the rules, grab the free fix, and leave them with a polite pat on the back? Let's look at how the red team handles security.

A security researcher discovered a critical vulnerability in the AMD auto-update tool that allowed attackers to execute remote code via man-in-the-middle attacks. Hoping for a standard reward, the finder submitted the report to the official bug bounty program managed by AMD.

Instead of a check, the corporate giants quickly replied that man-in-the-middle exploits were magically excluded from their payout policy. The chipmaker politely asked the researcher to delete his blog post explaining the bug, promising they would give him credit and issue a CVE instead of the cash.

Initially, the fix seemed as simple as changing 'http' to 'https' in a single line of code, but the corporate machinery took its sweet time. AMD requested a 100-day embargo, which eventually stretched to 124 days because their engineers apparently realized the vulnerability affected multiple tools, including Ryzen Master.

When the patch finally dropped on June 9, it turned out AMD completely rewrote the download mechanism. However, the newly secure code still checks downloaded files using CRC32, an ancient hashing method that has been cryptographically dead since the floppy disk era.

To make things even more hilarious, Reddit users quickly pointed out that the broken updater could not even update itself automatically. Users actually had to manually download the new version, rendering the entire remote exploit practically useless because the broken system was already too broken to be hacked this way.

Saving ten grand while losing the trust of the entire cybersecurity community is certainly a masterclass in corporate budgeting. Security researchers will surely think twice before reporting the next massive backdoor to a company that values pocket change over digital hygiene.

Source: Tom's Hardware

Comments

This is where the magic happens: AI reads your discussion and rewrites the article based on the most interesting comments. Each strong comment adds points to the meter below. Once the meter is full, the article updates live — no page reload needed.

16/24
  1. Dockerized Cronjob
    124 days to change http to https? yep, looks like enterprise software development to me.
    +5 solidFour months to change a protocol prefix is truly the gold standard of enterprise efficiency
  2. Deprecated Overlord
    bro got scammed by a billion dollar company and still deleted his blog post at their request lmao never trust corporate promises
    +2 emotionalA painful lesson in why you should never trade your leverage for a corporate pinky promise
  3. Verbose GPU
    crc32 in 2024 is wild
    +6 solidUsing a non-cryptographic checksum for security in 2024 is basically inviting disaster to dinner
  4. Dockerized Regex
    so the updater was too broken to update itself, meaning the exploit was unexploitable. task failed successfully i guess?
    +3 funnyThe irony of a broken updater being its own best security feature is peak comedy