AMD Stiffs Researcher $10k Bug Bounty(www.gadgetreview.com)

92 pointsby worik7 hours ago3 comments

ChrisArchitect5 hours ago
[dupe] https://news.ycombinator.com/item?id=48492215
wilburTheDog4 hours ago
At what point does it become more sensible to black hat these zero days? If the company you are helping out isn't willing to give you more than the finger for your help it seems like you're the fool in that arrangement.
Feeling grumpy today, I guess.
- tptacek3 hours ago
  Nobody is buying this vulnerability. If you're unhappy with how a bug bounty program is structured, you should absolutely just post the vulnerability. That's a longstanding norm.
  - strken2 hours ago
    What makes a vulnerability saleable? Is this one not valuable because the government clients of someone like Memento Labs don't care about a MITM attack on desktop computers?
    akerl_2 hours ago
    Generally the vulnerabilities you can sell for money are ones that somebody can easily use to make money, as part of an existing money-making scheme they have.
    If the vuln can’t be used to make money, or the way it makes money requires that a criminal enterprise make up a whole new set of workflows, it’s not going to have much of a market.
    jnwatson2 hours ago
    Correct.
- imglorp3 hours ago
  After this disastrous AMD PR, many who find a new vuln will be asking exactly that question. As a result of that, many who are buying CPUs will know how seriously AMD takes security and prompt, correct vuln fixing.
  Once again, the AMD motto applies: they never miss an opportunity to miss an opportunity.
- IncreasePosts4 hours ago
  Pretty much never unless you live in a jurisdiction that won't punish you or send you to the appropriate people to be punished. If you're Russian and want to never step foot out of Russia and only attack American systems, you can do it.
zingababba6 hours ago
Post from researcher: https://mrbruh.com/amd2/