The obvious solution to this is to not seek the bug bounty. The next time a critical security vulnerability is found, sell it to the highest bidder. I’m sure there are black hats out there willing to pay the money that the megacorp refuses to pay out.
The updated post contains the full story, and it goes as follows: Back in February, when AMD asked Paul to bring down the blog post temporarily, the company said it would issue a standard CVE, fix the software, and attribute the findings to him, though a bounty payment was out of the question. Paul agreed (a decision he now regrets), though he asked what kind of timeline AMD would follow, suggesting the industry-standard 90-day window until he posted the public disclosure again.
AMD replied saying that it would “likely need a longer embargo, as additional tools beyond Ryzen Master appear[ed] to be impacted and [would] need releases.” That was an interesting statement in several ways: first, it raises the question exactly why AMD would need so long to publish what was seemingly a one-character fix, replacing “http” with “https” in the code. Second, if the issue was bad enough to require so long to solve, then arguably Paul’s work would merit some recompense. Third, as Paul pointed out, if this issue looked this pressing, why didn’t it have a higher priority?
Nevertheless, he ended up agreeing on a 100-day window, and asked AMD the equivalent of “wassup?” before the clock ticked its last tock, only to be asked for extra time again, being told that “multiple tools are affected by [the bug]”, and that “[AMD’s] customers request additional time once [the fixes] are made available.” Eventually, AMD reached out stating that a fix would be ready on June 9, totaling 124 days after the initial finding.
“the company said it would issue a standard CVE, fix the software, and attribute the findings to him, though a bounty payment was out of the question.”
How do you KNOW the CIA wasn’t paying for that bug to be prolonged?
Same question about epistemology: how do you KNOW God is/isn’t real? How do you know this isn’t a simulation with a system administrator who can supplant causation that is capable of being proven scientifically?
You live in a police state. The CIA routinely breaks the law for purposes they deem necessary. It’s a possibility they were exploiting the bug for their purposes. This is the reality we live in. But this gets dismissed by charismatic figures in the news so the average person never truly considers it. Operation Mockingbird was FIFTY years ago, proving the agency is not just lying to the American public but actively breaking the law to do so. Why not this?
I feel for people wanting to be security researchers with a conscience. They used to get thrown in jail or hit with lawsuits. Things progressed to where they could get a tiny fraction of the black market value as a bug bounty, and possibly even make a basic living doing that, but we are probably headed back in the other direction.
Meanwhile, black hats are sitting in a resort pool somewhere spending the half million some authoritarian regime paid them for a simmilar exploit, trying to drink enough all-inclusive booze to avoid thinking of the people getting their fingernails pried off in some goulag after getting exposed via said exploit.
For those that don’t read the article - Paul AGREED to no payment, and later regret it. Why should amd pay? They made it clear their policy doesn’t cover MITM attacks and so there is no bounty available for this vulnerability. Amd had and has no obligation to make the pay out, ESPECIALLY when the researcher agreed to no pay out!
The obvious solution to this is to not seek the bug bounty. The next time a critical security vulnerability is found, sell it to the highest bidder. I’m sure there are black hats out there willing to pay the money that the megacorp refuses to pay out.
“the company said it would issue a standard CVE, fix the software, and attribute the findings to him, though a bounty payment was out of the question.”
Nah, they should pay him…
How do you KNOW the CIA wasn’t paying for that bug to be prolonged?
Same question about epistemology: how do you KNOW God is/isn’t real? How do you know this isn’t a simulation with a system administrator who can supplant causation that is capable of being proven scientifically?
You live in a police state. The CIA routinely breaks the law for purposes they deem necessary. It’s a possibility they were exploiting the bug for their purposes. This is the reality we live in. But this gets dismissed by charismatic figures in the news so the average person never truly considers it. Operation Mockingbird was FIFTY years ago, proving the agency is not just lying to the American public but actively breaking the law to do so. Why not this?
I feel for people wanting to be security researchers with a conscience. They used to get thrown in jail or hit with lawsuits. Things progressed to where they could get a tiny fraction of the black market value as a bug bounty, and possibly even make a basic living doing that, but we are probably headed back in the other direction.
Meanwhile, black hats are sitting in a resort pool somewhere spending the half million some authoritarian regime paid them for a simmilar exploit, trying to drink enough all-inclusive booze to avoid thinking of the people getting their fingernails pried off in some goulag after getting exposed via said exploit.
Well shiiiiiiiiiit balls.
I was thinking just pay the 10k amd
For those that don’t read the article - Paul AGREED to no payment, and later regret it. Why should amd pay? They made it clear their policy doesn’t cover MITM attacks and so there is no bounty available for this vulnerability. Amd had and has no obligation to make the pay out, ESPECIALLY when the researcher agreed to no pay out!
Damn that might make me read the article
They told him that paying him was out of the question and he said ohhh
They can fucking pay him.
Reading comprehension not your strong suit? Or just raging on the title without clicking the link?
That is essentially the behavior AMD is incentivizing here.