AMD Stiffs Researcher $10k Bug Bounty
87 points
6 hours ago
| 3 comments
| gadgetreview.com
| HN
wilburTheDog
2 hours ago
[-]
At what point does it become more sensible to black hat these zero days? If the company you are helping out isn't willing to give you more than the finger for your help it seems like you're the fool in that arrangement.

Feeling grumpy today, I guess.

reply
tptacek
2 hours ago
[-]
Nobody is buying this vulnerability. If you're unhappy with how a bug bounty program is structured, you should absolutely just post the vulnerability. That's a longstanding norm.
reply
strken
1 hour ago
[-]
What makes a vulnerability saleable? Is this one not valuable because the government clients of someone like Memento Labs don't care about a MITM attack on desktop computers?
reply
akerl_
41 minutes ago
[-]
Generally the vulnerabilities you can sell for money are ones that somebody can easily use to make money, as part of an existing money-making scheme they have.

If the vuln can’t be used to make money, or the way it makes money requires that a criminal enterprise make up a whole new set of workflows, it’s not going to have much of a market.

reply
jnwatson
47 minutes ago
[-]
Correct.
reply
imglorp
2 hours ago
[-]
After this disastrous AMD PR, many who find a new vuln will be asking exactly that question. As a result of that, many who are buying CPUs will know how seriously AMD takes security and prompt, correct vuln fixing.

Once again, the AMD motto applies: they never miss an opportunity to miss an opportunity.

reply
IncreasePosts
2 hours ago
[-]
Pretty much never unless you live in a jurisdiction that won't punish you or send you to the appropriate people to be punished. If you're Russian and want to never step foot out of Russia and only attack American systems, you can do it.
reply
ChrisArchitect
4 hours ago
[-]
[dupe] https://news.ycombinator.com/item?id=48492215
reply
zingababba
4 hours ago
[-]
Post from researcher: https://mrbruh.com/amd2/
reply