AMD ändert die Regeln und verweigert dem Forscher ein Kopfgeld von 10.000 US-Dollar, nachdem es 124 Tage gedauert hat, die Sicherheitslücke zu beheben
https://www.techspot.com/news/112746-amd-changes-rules-denies-researcher-10000-bounty-after.html
AMD ändert die Regeln und verweigert dem Forscher ein Kopfgeld von 10.000 US-Dollar, nachdem es 124 Tage gedauert hat, die Sicherheitslücke zu beheben
https://www.techspot.com/news/112746-amd-changes-rules-denies-researcher-10000-bounty-after.html
30 Kommentare
These multi-billion dollar companies screwing security researches out of bounty dollars that equate to not even a visible spec within their budgets *is not going to end well for them. At all.*
*Looking @ you too, MicroSlop.*
🤦🏻♂️
Title is a bit misleading, The rule wasn’t changed to deny the bounty, it appears AMD denied the bounty up front as it was out of scope for bug bounty.
What they allegedly changed was the disclosure rules after the fact. They then asked the reporter to remove them, which he agreed to do.
Also the only place 10k is mentioned is the title.
AMD should remember that bug bounty programs is to avoid having these bugs discovered by malevolent parties. In that situation, AMD will pay much more than $10K.
Greedy scums, I don’t it would take much efforts for vulnerability to ba available over the darknet adter this.
So the lesson after reading about this and how Microsoft jerked that one guy around is don’t bother with bug bounty programs, and just sell your discovered vulnerability to the highest bidder?
Moral of the story. If you have something good contact the NSA. They pay top dollar.
They need to remember that out there, there are groups that would pay much more than 10k for bug finds.
Give it a couple more stories like this and these guys are just gunna start exploiting instead of reporting
Why are those big corpos nickle and diming those security researchers? This does zero dent in their finances….
Nation state actors are actively salivating at all these denied bounties
Companies just keep pissing in the faces of people trying to help them. They shouldn’t act surprised if it blows up in their face.
Why would AMD squabble over $10K? That’s peanuts to near trillion dollar company.
so 124 days of work was only going to cost you $10k, and that is too much for amd to pay lol
„Well, we have this penny for prevention we could pay, or we could pay million of dollars in repairs later… you know what, let’s go with the millions. That’ll be the next CEO’s problem to contend with.“
Guarantee that this decision was made by someone at a middle level trying to cut costs to make themselves noticed by upper management. Screw the repercussions, they’re not planning to stick around for long enough to deal with them.
# it may possible that these big companies deliberately implement security holes in their devices.
# unfortunately, this time someone caught them and they are not happy!
I guess they either pay a bounty or pay a ransom. Eventually people will get tired of being scammed by the big companies
Gamer’s Nexus [did a great examination of this bullshit.](https://youtu.be/4HjWHNLRMB0?si=z7I8MazpyscZ9-Xl). The developer in question is one of their homies.
You can pay a researcher $10k, or you can pay millions in damages and marketing when 0-day hacks start appearing, curtesy of people who were willing to pay the researcher for his work. I’ll never understand how a multibillion company economizes on something that should be pocket money for them. Whoever made the decision not to pay should be fired.
Awesome, next time a bug is found they’ll be sure to sell it to a third-party country for bigger profits then.
Get fucked, dipshits.
The reality of the situation is that the no one will hold AMD responsible for security flaws.
So why should AMD pay for found security flaws.
Bug bounties keep us all safer. The real hero’s we need.
Seems like a pittance for AMD, such a weird choice. Definitely seems like it sends the message to not report bugs and instead try to sell it to other interested parties. I guess that would be criminal but I’d imagine anyone smart enough to find an exploit is savvy enough to cover their tracks.
If someone did this to me I’d start selling the info to the other side and really screw them over. This is how you make villians.
> Decompiling the software revealed that while AMD’s updater pulled its update list over HTTPS, the executable download links themselves used plain HTTP. Worse still, the updater apparently performed no certificate validation or real signature check before running the downloaded file.
So this is AMD getting caught not even trying, getting embarrased they were _caught_ and then gaslighting to cover up their misdeeds.
> The company’s response was to close the report because it was deemed „out of scope,“ as it involved a man-in-the-middle attack and affected optional tools. That meant no bounty, **despite the bug later receiving CVE-2026-40677 and a CVSS 4.0 score of 7.7. The full process lasted 124 days, with the embargo ending on June 9.**
Bold for people who aren’t reading the article but defending AMD…
And this still isn’t made fully safe, they are only using a crc32 check which is **not** cryptographically secure.
Are they stupid?
It’s funny to make the guy angry who just went through all of the dumpster spaghetti code to find some dumb bug that I’m sure could never be replicated again in any way, shape or form
„AMD later changed the wording of its bug bounty rules to state that researchers must not disclose vulnerability information without AMD’s written consent even if a report is deemed ineligible for a bounty or out of scope“
I mean, if my report is deemed out of scope and ineligible, then it doesn’t sound like anything I do is going to be governed by the arbitrary rules of a private company, is it? You follow the rules because you want them to pay you the bounty. If they’re not gonna pay out the bounty, then what authority do any of their rules have?
What a great way to get people to stop fixing your broken shit.
Seems like a bad idea……