Breaking
AMD Refuses $10,000 Bug Bounty For Undetected Flaw     Amazon Makes Cloud Storage Breakthrough     AI Copilot revives vintage AMD graphics drivers     Nokia N95 runs Half-Life at 30 FPS matching 1998 PCs     Lightning via coaxial cable destroys gamer’s PC     Corsair unveils lightweight budget-friendly HS35 v3 headsets     Asus debuts ROG Astral RTX 5090 curved AMOLED     Cooler Master introduces active cooling DDR5 RAM kits     Kevin O’Leary blames Chinese propaganda for datacenter backlash     SpaceX struggles to find enough computer chips     AMD Refuses $10,000 Bug Bounty For Undetected Flaw     Amazon Makes Cloud Storage Breakthrough     AI Copilot revives vintage AMD graphics drivers     Nokia N95 runs Half-Life at 30 FPS matching 1998 PCs     Lightning via coaxial cable destroys gamer’s PC     Corsair unveils lightweight budget-friendly HS35 v3 headsets     Asus debuts ROG Astral RTX 5090 curved AMOLED     Cooler Master introduces active cooling DDR5 RAM kits     Kevin O’Leary blames Chinese propaganda for datacenter backlash     SpaceX struggles to find enough computer chips
Zero Trust

AMD Refuses $10,000 Bug Bounty For Undetected Flaw

By Nadia Calloway 4 min read
AMD Refuses $10,000 Bug Bounty For Undetected Flaw - amd bug bounty
AMD Refuses $10,000 Bug Bounty For Undetected Flaw

AMD’s product security bug bounty program promises up to $30,000 for researchers who find vulnerabilities in its hardware. A 22-year-old New Zealand programmer, who goes by Paul, reported a remote code execution (RCE) flaw in AMD’s AutoUpdate software. The company did not pay the $10,000 bounty, citing program terms that exclude MITM attacks. The researcher detailed the vulnerability on his MrBruh blog, explaining how an attacker could exploit it to intercept network traffic. The vulnerability, which allowed an attacker to execute a man-in-the-middle (MITM) attack, was described by Paul as a critical risk because it could enable malicious actors to replace legitimate network responses with executable code, effectively allowing them to control data flows between users and applications without detection.

Related: Amazon Makes Cloud Storage Breakthrough

The flaw, which AMD patched after 124 days, allowed malicious actors to execute a man-in-the-middle attack. Paul described the risk as significant, noting that attackers could replace network responses with malicious code. AMD acknowledged the report and released a CVE entry on June 12, but declined to pay the bounty. The company asked Paul to remove his blog post indefinitely, a move he described as adding insult to injury. The 124-day delay between the disclosure and the patch left users potentially exposed for a prolonged period, raising concerns about the effectiveness of AMD’s response mechanisms in addressing critical vulnerabilities. During this window, systems relying on AutoUpdate could have been targeted by threat actors exploiting the flaw to inject malicious payloads into network traffic, potentially compromising sensitive data or system integrity.

AMD’s decision hinges on its bounty program’s scope. The terms explicitly exclude MITM attacks, a detail Paul says was not clearly communicated. While the company acted on his report, the lack of payment has raised questions about its commitment to security researchers. The delay in patching also sparked concerns about how long users were exposed to potential exploits. The specific exclusion of MITM attacks from the bounty program’s eligibility criteria, as outlined in AMD’s terms, has drawn criticism from the security community, who argue that such vulnerabilities are among the most dangerous in modern computing environments due to their potential for widespread exploitation. This exclusion may have inadvertently discouraged researchers from reporting similar flaws in the future, undermining the program’s intended purpose of incentivizing proactive security improvements.

Related: SMIC, AMEC CEOs Urge Domestic Chip Tool Tests on Production Lines

Consumers using AMD products with auto-update features may still be vulnerable. Paul recommends uninstalling existing software and downloading updates from AMD’s official site. He also advises using security tools that actively monitor for threats. The incident highlights a broader tension between corporate policies and the practical realities of cybersecurity. However, the handling of Paul’s report has drawn scrutiny. The company’s response shows the challenges of aligning bug bounty programs with real-world security risks. For now, users are left to handle the gap between policy and practice.

Related: SpaceX struggles to find enough computer chips

However, the situation surrounding Paul raises questions about AMD’s handling of security reports. The big question stemming from all of this is: Should you be worried about security if you have AMD components in your computer? The good news is that AMD did patch the AutoUpdate bug that Paul brought to light. Before this fix, users were exposed to potential MITM attacks for as many as 124 days. This type of attack entails eavesdropping or even placing code directly between the target and the application they’re using. This was made possible because malicious parties could perform a simple RCE to, as Paul explained, “replace the network response with any malicious executable of their choosing.” If you use AMD products with auto-update functionality, you might still be affected by the AMD bug that Paul discovered. In Paul’s republished blog post about the RCE vulnerability, he recommends that AMD users should “uninstall everything” and download the latest versions of AMD software from the official website. And of course, you should always use security apps that actually protect your computer.

Tags:

#bug-bounty #security #software-vulnerability
Nadia Calloway

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *