AMD拒绝支付研究员1万美元漏洞奖金

AMD拒绝支付研究员1万美元漏洞奖金
AMD Stiffs Researcher $10k Bug Bounty

原始链接: https://www.gadgetreview.com/amd-stiffs-researcher-10000-bug-bounty-after-critical-security-flaw-takes-124-days-to-fix

研究人员保罗·拉罗萨（Paul LaRosa）发现了 AMD Windows 自动更新程序中存在一个关键安全漏洞，该程序通过不安全的 HTTP 连接获取软件。此缺陷允许攻击者拦截更新并在用户系统上执行恶意代码。尽管远程代码执行风险十分严重，但 AMD 耗时 124 天才发布修复程序，远超行业标准。此外，AMD 以中间人攻击属于政策豁免范围为由，拒绝向拉罗萨支付预期的 10,000 美元漏洞赏金。即便在打补丁之后，安全专家仍感到担忧；更新后的软件仍依赖薄弱的 CRC32 校验和，而非强大的加密签名来验证文件完整性。这一事件凸显了一个令人不安的趋势：大型供应商往往更倾向于缩减漏洞赏金支出，而非进行迅速且全面的安全补救，从而使用户面临陈旧安全做法带来的风险。

Hacker News 最新 | 过往 | 评论 | 提问 | 展示 | 招聘 | 提交登录 AMD 拒绝支付研究人员 1 万美元漏洞赏金 (gadgetreview.com) 26 分 1 小时前由 worik 发布 | 隐藏 | 过往 | 收藏 | 1 条评论帮助 zingababba 26 分钟前 [–] 研究人员发布的原文：https://mrbruh.com/amd2/ 准则 | 常见问题 | 列表 | API | 安全 | 法律 | 加入 YC | 联系搜索：

原文

Finding a critical security vulnerability should get you rewarded, not stiffed. AMD’s auto-updater was downloading software over insecure HTTP connections, letting network attackers slip malicious code onto your system during routine updates. The researcher who found this remote code execution flaw expected a $10,000 bounty. Instead, AMD fixed the problem after four months and paid nothing.

The Flaw That Could Own Your System

A trusted update process became an open highway for malware delivery.

Paul LaRosa discovered that AMD’s Windows auto-updater—used by Ryzen Master and other utilities—was grabbing updates through unencrypted HTTP connections. Anyone positioned on your network could perform a man-in-the-middle attack, swapping legitimate driver downloads with malware. Think of it like ordering food delivery but letting strangers intercept and replace your meal between the restaurant and your door. Your system would happily install whatever the attacker served up, believing it came from AMD.

This affects you if you’ve used AMD utilities that handle automatic updates. The vulnerability created a highway for attackers to achieve remote code execution, essentially gaining control of your machine through what should be a trusted update process.

Four Months of “Just a Little More Time”

What started as a 90-day disclosure window stretched into a four-month waiting game.

AMD acknowledged the flaw was real but refused the bounty, citing policy exclusions for man-in-the-middle attacks. The company asked LaRosa to delay public disclosure in February, promising a fix within 90 days—standard practice in security research. Then AMD asked for more time. Then more again. The final patch arrived 124 days after the initial report.

Compare that timeline to security best practices: critical vulnerabilities should be patched within 5-14 days, not over four months. It’s like your doctor finding cancer and scheduling treatment for next season. Some flaws demand urgency, especially those affecting automatic update mechanisms that users trust to keep them secure.

Still Using Weak Security After the “Fix”

The patch solved one problem but left deeper security weaknesses untouched.

AMD reengineered the auto-updater to use encrypted downloads, but the fix reveals deeper problems. The updated software still validates downloaded files using CRC32—a checksum that’s about as secure as a screen door. Modern software should use cryptographically signed updates that can’t be forged, not checksums that determined attackers can manipulate.

This case exposes how major vendors handle security: fix the immediate problem, avoid paying researchers through policy loopholes, and leave underlying weaknesses in place. You’re left wondering which other “secure” auto-updaters are similarly vulnerable, and whether companies care more about their bug bounty budget than your system security.