What's Happening?
AMD has faced criticism for its handling of a security vulnerability reported by a researcher known as MrBruh. The issue involved a remote code execution vulnerability in AMD's auto-updater software, which was initially dismissed by the company as 'out
of scope.' The researcher discovered that the updater used plain HTTP for downloading executable files, which could allow a man-in-the-middle attack. Despite the vulnerability receiving a CVE score of 7.7, AMD initially closed the report without awarding a bounty. After the researcher's findings gained attention online, AMD's internal team revisited the issue and requested the researcher to remove his public disclosure. Subsequently, AMD changed its bug bounty rules to require written consent for disclosure, even for reports deemed ineligible for a bounty.
Why It's Important?
This incident highlights significant concerns about transparency and accountability in corporate cybersecurity practices. AMD's response to the vulnerability report and subsequent rule changes could impact its reputation among security researchers and the broader tech community. The situation underscores the importance of clear and fair bug bounty programs, which are crucial for encouraging researchers to report vulnerabilities responsibly. The handling of this case may deter future disclosures, potentially leaving security flaws unreported and unpatched, which could pose risks to users and the integrity of AMD's software.
What's Next?
AMD has acknowledged the vulnerability and credited the researcher in its official bulletin. The company has implemented updates to use HTTPS and claims to have added signature verification, although the researcher disputes the effectiveness of these measures. Users are advised to manually update AMD software to ensure security. The broader tech community may watch closely to see if AMD's revised bug bounty rules affect future vulnerability disclosures and how other companies might adjust their policies in response to this incident.
