Well the next time someone finds a bug in their software they will have to find other ways to monetize it.
this post was submitted on 13 Jun 2026
354 points (99.4% liked)
Technology
85355 readers
4188 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 3 years ago
MODERATORS
A long time ago I felt like bug bounty programs would be an amazing way forward... Now I'm firmly in the camp of fuck it, sell it to the highest bidder.
This is going to work out really well for AMD. Any future vulnerabilities will most certainly be reported to them, responsibly. Right?
Totally. If they happen to be the highest bidder on the dark web that is
My favourite part was when they rejected the flaw saying it's out of scope for their bounty program but still wanted him to keep it secret because of the rules of the bounty program. The same bounty program that didn't cover it.
Didn't Microsoft just pull this same thing and now there's all these 0-days getting released publicly as vengeance? I swear, all these companies are sharing the same brain cell...
Yep, the Midnight Eclipse crashout continues to be endlessly entertaining and a nightmare for Microsofts security devs.
all these companies are sharing the same brain cell…
they all have upper management that went to the same schools and the same classes, so they're all indoctrinated the same way.
And the people in the houses
All went to the university
Where they were put in boxes
And they came out all the sameAnd there's doctors and lawyers
And business executives
And they're all made out of ticky-tacky
And they all look just the sameAnd they all play on the golf course
And drink their martinis dry
And they all have pretty children
And the children go to schoolAnd the children go to summer camp
And then to the university
Where they are put in boxes
And they come out all the same
Plus they are following the lead of the leadership of the country, which is cheating everyone that you are able to.
Trump too has a degree in economics and went to a prestigious finance school so that tracks.
Exactly. The engineering teams are in the background saying to pay him.
AMD told MrBruh that all update communications now use HTTPS and that updates undergo signature verification. The researcher says he verified the HTTPS claim, but found only a CRC32 check on the downloaded executable, which is not considered a cryptographic signature.
This is the most shocking part. You’d think that AMD as a high-tech company has some smart people working for them. These are very basic things that any half decent programmers should get right. If at no part of the process of implementing this anyone brought up that this is not secure, that is extremely worrying and indicative of a very broken development process. It’s not like a proper cryptographic signature costs extra. This is just pure incompetence.
Not surprising at all. I work in IT and security is by and large reactionary and based on scans that are often rudimentary. As far as training devs on good security practices there's next to nothing. You learn from getting your hand slapped or you don't learn at all.
As someone who is frequently the one slapping hands (and backs of heads), I can confirm this.
And still they don't learn.
Well the next time someone finds a bug in their software they will have to find other ways to monetize it.
AMD has always sucked at making software. The reason why NVidia gained the AI market is because NVidia worked to write and support all the CUDA libraries. AMD devs are so bad they even struggle to just replicate the APIs NVidia already designed year earlier (ROCm/HIP projects). Even Intel who arrived much later almost managed to catch up with their own HW/SW stack (I think they gave up afterward).
The problem with using CRC32 is it reversible and has high collusion rate. An attacker can easily make a file the generates the same hash. This tool a few minutes of searching online. It appears that people who work at AMD don't even know how to do proper research. All they have to do is look up how to make a secure updating process.
Day by day, vibe-code all the way...
The problem is that a CRC32 checksum is not a signature. Doesn't matter if they use the most complex checksum in the world or not, what they need here is a signature
What does it matter if it's CRC or sha512 if they are using an unsecured connection to transmit them? A stranger who has already acquired capability to modify the payload in transit can also modify the checksum. A better hash will not solve this problem.
They use https now, but use CRC for signature verification:
AMD told MrBruh that all update communications now use HTTPS and that updates undergo signature verification. The researcher says he verified the HTTPS claim, but found only a CRC32 check on the downloaded executable, which is not considered a cryptographic signature.
I could be wrong here, but I believe they should use a combination of SHA256 and PGP for signature verification.
Oh, okay, so maybe I misread the sentence. I thought the implication was they used crc32 as opposed to HTTPS. Not sure why you need an additional layer in addition to https- as long as the certificate chain is setup properly. And again, you're not gaining additional security if you submit the hash (or a gpg key) through the same channel. So if they already use https and just want to check for broken downloads, crc32 is perfectly fine. It's just security theater at that point.
I swear, AMD and Microsoft are two brain cells competing for third place
What a stupid expectation. A company with a market cap of 700 billion can't just throw 10.000 bucks around. Ya'll need to think of the sustainability of the company.
They really do be stepping over dollars to pick up pennies.
Or in this case, to save them.
Nothing quite like creating a specific incentive for researchers to seek "alternative" sources of income as payment for their research efforts.
Microsoft tried this .. seems to be working out for them .. not.
But they saved themselves a whopping $10,000. It's not like AMD has that kind of money to throw around.