this post was submitted on 13 Jun 2026
479 points (99.6% liked)

Technology

85461 readers
3734 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
479
AMD changes rules, denies researcher $10,000 bounty after taking 124 days to patch security flaw (www.techspot.com)
submitted 3 days ago by sanitation@lemmy.today to c/technology@lemmy.world
50 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[โ€“] neclimdul@lemmy.world 1 points 2 days ago (1 children)

I don't have all the facts but based on the article I don't see the problem everyone seems upset about.

They received the report, decided it was valid but didn't match a bounty. Then asked him to follow standard responsible disclosure processes giving him credit in the final release. All very standard.

Should there have been a bounty? AMD has the budget, probably yes. But nothing in the communications seems any different from what I've seen and have received similar from companies in the past.

[โ€“] crazyduck@lemmy.zip 16 points 1 day ago

Except when he responsibly disclosed to AMD, they closed the ticket as "out of scope" without any further communication. He then made a blog post about it warning other users about the vulnerability since ostensibly, AMD didn't want to fix it. Only after that post had gone viral AMD suddenly came back saying that despite the ticket being closed as such, their internal security team was still analysing it and he should've somehow known that and that he violated the TOC of the bug bounty program (remember, after saying that the vulnerability was out of scope of the program). Additionally AMD then changes those terms a month after the initial ticket to suddenly say that even if the ticket is refused, you're still not allowed to talk about it. Then to top it off they take a month longer to fix it then is industry standard, don't disclose the fix to the researcher as is customary until a few days before release and only because he kept badgering them and as the cherry don't tell their users that the only way to securely fix this is by uninstalling and reinstalling. Everything about it is scummy behaviour all around.