this post was submitted on 13 Jun 2026
150 points (99.3% liked)

Technology

85357 readers
5167 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
150
AMD changes rules, denies researcher $10,000 bounty after taking 124 days to patch security flaw (www.techspot.com)
submitted 4 hours ago by sanitation@lemmy.today to c/technology@lemmy.world
7 comments fedilink hide all child comments
top 7 comments
sorted by: hot top controversial new old
[–] BorgDrone@feddit.nl 8 points 33 minutes ago (1 children)

AMD told MrBruh that all update communications now use HTTPS and that updates undergo signature verification. The researcher says he verified the HTTPS claim, but found only a CRC32 check on the downloaded executable, which is not considered a cryptographic signature.

This is the most shocking part. You’d think that AMD as a high-tech company has some smart people working for them. These are very basic things that any half decent programmers should get right. If at no part of the process of implementing this anyone brought up that this is not secure, that is extremely worrying and indicative of a very broken development process. It’s not like a proper cryptographic signature costs extra. This is just pure incompetence.

[–] themachinestops@lemmy.dbzer0.com 1 points 7 minutes ago

The problem with using CRC32 is it reversible and has high collusion rate. An attacker can easily make a file the generates the same hash. This tool a few minutes of searching online. It appears that people who work at AMD don't even know how to do proper research. All they have to do is look up how to make a secure updating process.

[–] xthexder@l.sw0.com 12 points 56 minutes ago

Didn't Microsoft just pull this same thing and now there's all these 0-days getting released publicly as vengeance? I swear, all these companies are sharing the same brain cell...

[–] realitaetsverlust@piefed.zip 23 points 2 hours ago

What a stupid expectation. A company with a market cap of 700 billion can't just throw 10.000 bucks around. Ya'll need to think of the sustainability of the company.

[–] QuandaleDingle@lemmy.world 35 points 3 hours ago* (last edited 3 hours ago)

They really do be stepping over dollars to pick up pennies.

Or in this case, to save them.

[–] vk6flab@lemmy.radio 63 points 4 hours ago (1 children)

Nothing quite like creating a specific incentive for researchers to seek "alternative" sources of income as payment for their research efforts.

Microsoft tried this .. seems to be working out for them .. not.

[–] floofloof@lemmy.ca 44 points 3 hours ago

But they saved themselves a whopping $10,000. It's not like AMD has that kind of money to throw around.