this post was submitted on 14 Jun 2026
633 points (98.9% liked)

Technology

85420 readers
6332 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
633
AMD denies researcher a $10,000 bug bounty after fixing critical auto-updater vulnerability — security flaw took 124 days to patch (www.tomshardware.com)
submitted 19 hours ago by sanitation@lemmy.today to c/technology@lemmy.world
49 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] kuhli@lemmy.dbzer0.com 50 points 13 hours ago (2 children)

Y'all really need to read past the headline:

the bug that Paul found seemingly wouldn't be triggered anyway, as the relevant section of the code wasn't being called to begin with

[–] monotremata@lemmy.ca 5 points 3 hours ago

Okay, yes, but that's because they had messed up their application enough that the updater itself couldn't be updated, which they presumably discovered in the process of trying to remedy his bug. That is, the flaw he found couldn't actually be exploited only because of a deeper flaw he hadn't found. (Shades of the Sirius Cybernetics Corporation there, whose deep fundamental design flaws were almost totally hidden by their superficial design flaws.) He still led them to a critical vulnerability that took them months to fix.

[–] rustydrd@sh.itjust.works 88 points 10 hours ago (2 children)

I guess it's one of those "justifiable but unwise" sort of things. If your company is doing a bug bounty program to stay on top of security vulnerabilities, what you don't want is to create the perception that the work of devs who look for these vulnerabilities isn't appreciated, for example, by skimping on bounties over technicalities.

Paying the 10k doesn't ruin the company and allows them to fix a section of code that may become a vulnerability in the future. Not paying the 10k saves them 10k at the price of the devs' trust that keeps this program effective. From a financial point of view, this is some very poor decision making.

[–] grinning_serpent@lemmy.world 6 points 4 hours ago (3 children)

It encourages people who find these bugs to use them rather than report them.

[–] reksas@sopuli.xyz 2 points 53 minutes ago

things like that should give a pause for other corporations, when they consider where they buy their stuff from.

[–] Quexotic@infosec.pub 1 points 54 minutes ago

I mean, you get paid an awful lot more if you sell it on the dark web, so why wouldn't you at this point?

[–] Lost_My_Mind@lemmy.world 1 points 1 hour ago

I hope they do.

[–] Smoogs@lemmy.world 12 points 6 hours ago* (last edited 6 hours ago)

Sure however it's still worth calling out click bait headlines and reactionary posters are all being bad actors here in the misinformation spread.

Probably more important as then developers don't back out over being emotionally manipulated by fake bullshit.