Well the next time someone finds a bug in their software they will have to find other ways to monetize it.
this post was submitted on 13 Jun 2026
478 points (99.6% liked)
Technology
85461 readers
3602 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 3 years ago
MODERATORS
Didn't Microsoft just pull this same thing and now there's all these 0-days getting released publicly as vengeance? I swear, all these companies are sharing the same brain cell...
all these companies are sharing the same brain cell…
they all have upper management that went to the same schools and the same classes, so they're all indoctrinated the same way.
And the people in the houses
All went to the university
Where they were put in boxes
And they came out all the sameAnd there's doctors and lawyers
And business executives
And they're all made out of ticky-tacky
And they all look just the sameAnd they all play on the golf course
And drink their martinis dry
And they all have pretty children
And the children go to schoolAnd the children go to summer camp
And then to the university
Where they are put in boxes
And they come out all the same
Exactly. The engineering teams are in the background saying to pay him.
Plus they are following the lead of the leadership of the country, which is cheating everyone that you are able to.
Trump too has a degree in economics and went to a prestigious finance school so that tracks.
‘Donald Trump was the dumbest goddamn student I ever had!’
Trump didn't pass any of his classes or do any of his own work, though. He didn't learn anything because he's fucking stupid.
all these companies are sharing the same brain cell...
This cell is called investors.
Yep, the Nightmare Eclipse* crashout continues to be endlessly entertaining and a train wreck for Microsofts security devs.
*Thanks for yhe name correction.
*Nightmare Eclipse
My favourite part was when they rejected the flaw saying it's out of scope for their bounty program but still wanted him to keep it secret because of the rules of the bounty program. The same bounty program that didn't cover it.
but still wanted him to keep it secret because of the rules of the bounty program
The rules that were changed after the rejection
Again that means they don't want anyone to report or fix security plot flaws.
Yes, that is correct.
They want to look like they care, not actually care.
Have they not understood what currently is happening with Microsoft?
A long time ago I felt like bug bounty programs would be an amazing way forward... Now I'm firmly in the camp of fuck it, sell it to the highest bidder.
The only issue with doing that is selling it to a nefarious party hurts the users and not really AMD. Or at least it isn’t hurting AMD anywhere near as much as it might hurt an innocent party.
And that is a risk AMD is willing to take.
Depends if the company has a history of honoring bounties or not.
Advertising that you stiff smart people who know your architecture? Good luck AMD.
Nothing quite like creating a specific incentive for researchers to seek "alternative" sources of income as payment for their research efforts.
Microsoft tried this .. seems to be working out for them .. not.
But they saved themselves a whopping $10,000. It's not like AMD has that kind of money to throw around.
This is going to work out really well for AMD. Any future vulnerabilities will most certainly be reported to them, responsibly. Right?
Totally. If they happen to be the highest bidder on the dark web that is
They really do be stepping over dollars to pick up pennies.
Or in this case, to save them.
What a stupid expectation. A company with a market cap of 700 billion can't just throw 10.000 bucks around. Ya'll need to think of the sustainability of the company.
AMD told MrBruh that all update communications now use HTTPS and that updates undergo signature verification. The researcher says he verified the HTTPS claim, but found only a CRC32 check on the downloaded executable, which is not considered a cryptographic signature.
This is the most shocking part. You’d think that AMD as a high-tech company has some smart people working for them. These are very basic things that any half decent programmers should get right. If at no part of the process of implementing this anyone brought up that this is not secure, that is extremely worrying and indicative of a very broken development process. It’s not like a proper cryptographic signature costs extra. This is just pure incompetence.
The problem with using CRC32 is it reversible and has high collusion rate. An attacker can easily make a file the generates the same hash. This tool a few minutes of searching online. It appears that people who work at AMD don't even know how to do proper research. All they have to do is look up how to make a secure updating process.
The problem is that a CRC32 checksum is not a signature. Doesn't matter if they use the most complex checksum in the world or not, what they need here is a signature
What does it matter if it's CRC or sha512 if they are using an unsecured connection to transmit them? A stranger who has already acquired capability to modify the payload in transit can also modify the checksum. A better hash will not solve this problem.
They use https now, but use CRC for signature verification:
AMD told MrBruh that all update communications now use HTTPS and that updates undergo signature verification. The researcher says he verified the HTTPS claim, but found only a CRC32 check on the downloaded executable, which is not considered a cryptographic signature.
I could be wrong here, but I believe they should use a combination of SHA256 and PGP for signature verification.
Oh, okay, so maybe I misread the sentence. I thought the implication was they used crc32 as opposed to HTTPS. Not sure why you need an additional layer in addition to https- as long as the certificate chain is setup properly. And again, you're not gaining additional security if you submit the hash (or a gpg key) through the same channel. So if they already use https and just want to check for broken downloads, crc32 is perfectly fine.
An attacker can still send a compromised payload if there's no signature verification of the update. It takes a more sophisticated attack (e.g. supply chain attack, hijacking AMD's update website, etc.) but it has happened before to other companies. If the payload is signed and verified, an attacker would also need to gain access to AMD's private key to successfully send out a bad update. Assuming reasonable security, getting that private key would be a lot harder to get on top of somehow compromising AMD's update web service.
Also CRC checks over the internet are sort of silly and redundant since every packet sent would already be subject to a similar CRC check and bad packets would be ignored (dropped and re-requested). It would only prevent corruption on disk or in memory which are a lot less likely than transmission corruption.
Not surprising at all. I work in IT and security is by and large reactionary and based on scans that are often rudimentary. As far as training devs on good security practices there's next to nothing. You learn from getting your hand slapped or you don't learn at all.
As someone who is frequently the one slapping hands (and backs of heads), I can confirm this.
And still they don't learn.
Can I send you to a few colleagues that could use a good slapping?
My track record isn't great.. might need a different approach before I get carpal tunnel.
The very smart people working on their architecture and chip design are very much not the same people who are working on their desktop software.
Well the next time someone finds a bug in their software they will have to find other ways to monetize it.
AMD has always sucked at making software. The reason why NVidia gained the AI market is because NVidia worked to write and support all the CUDA libraries. AMD devs are so bad they even struggle to just replicate the APIs NVidia already designed year earlier (ROCm/HIP projects). Even Intel who arrived much later almost managed to catch up with their own HW/SW stack (I think they gave up afterward).
I swear, AMD and Microsoft are two brain cells competing for third place
I don't have all the facts but based on the article I don't see the problem everyone seems upset about.
They received the report, decided it was valid but didn't match a bounty. Then asked him to follow standard responsible disclosure processes giving him credit in the final release. All very standard.
Should there have been a bounty? AMD has the budget, probably yes. But nothing in the communications seems any different from what I've seen and have received similar from companies in the past.
Except when he responsibly disclosed to AMD, they closed the ticket as "out of scope" without any further communication. He then made a blog post about it warning other users about the vulnerability since ostensibly, AMD didn't want to fix it. Only after that post had gone viral AMD suddenly came back saying that despite the ticket being closed as such, their internal security team was still analysing it and he should've somehow known that and that he violated the TOC of the bug bounty program (remember, after saying that the vulnerability was out of scope of the program). Additionally AMD then changes those terms a month after the initial ticket to suddenly say that even if the ticket is refused, you're still not allowed to talk about it. Then to top it off they take a month longer to fix it then is industry standard, don't disclose the fix to the researcher as is customary until a few days before release and only because he kept badgering them and as the cherry don't tell their users that the only way to securely fix this is by uninstalling and reinstalling. Everything about it is scummy behaviour all around.