AMD Stiffs Researcher $10k Bug Bounty
3 hours ago
- #Bug Bounty
- #Security Vulnerability
- #AMD
- AMD's auto-updater downloaded software over insecure HTTP, allowing attackers to inject malware during updates via man-in-the-middle attacks.
- The researcher who found the flaw was denied a $10,000 bounty and AMD fixed it after 124 days, exceeding best practice timelines of 5-14 days for critical vulnerabilities.
- AMD's patch added encryption but still uses weak CRC32 checksums instead of cryptographically signed updates, leaving underlying security issues unaddressed.
- AMD exploited policy loopholes to avoid paying the bounty, raising concerns about how companies prioritize bug bounty budgets over system security.