When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works .
First, the good news: the updater is now seemingly secured, and you if you download the latest version of AMD's software pack, you ought to get a fixed version. The road to this point has been far from smooth, though, and to this day, Paul seemingly never saw a dime for his efforts, a story that is becoming commonplace if Microsoft's issues with Nightmare-Eclipse are anything to go by. An RCE bug would otherwise be worth $10,000 if AMD fully acquiesced the significance of problem.
The updated post contains the full story, and it goes as follows: Back in February, when AMD asked Paul to bring down the blog post temporarily, the company said it would issue a standard CVE, fix the software, and attribute the findings to him, though a bounty payment was out of the question. Paul agreed (a decision he now regrets), though he asked what kind of timeline AMD would follow, suggesting the industry-standard 90-day window until he posted the public disclosure again.
AMD replied saying that it would "likely need a longer embargo, as additional tools beyond Ryzen Master appear[ed] to be impacted and [would] need releases." That was an interesting statement in several ways: first, it raises the question exactly why AMD would need so long to publish what was seemingly a one-character fix, replacing "http" with "https" in the code. Second, if the issue was bad enough to require so long to solve, then arguably Paul's work would merit some recompense. Third, as Paul pointed out, if this issue looked this pressing, why didn't it have a higher priority?
Nevertheless, he ended up agreeing on a 100-day window, and asked AMD the equivalent of "wassup?" before the clock ticked its last tock, only to be asked for extra time again, being told that "multiple tools are affected by [the bug]", and that "[AMD's] customers request additional time once [the fixes] are made available." Eventually, AMD reached out stating that a fix would be ready on June 9, totaling 124 days after the initial finding.
Microsoft's GitHub bans security researcher who posted zero-day Windows exploits because company ruined their life
Microsoft's bug-hunting nemesis extends vendetta with more zero-day attacks
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/amd-denies-researcher-a-usd10-000-bug-bounty-after-fixing-critical-auto-updater-vulnerability-security-flaw-took-124-days-to-patch#main
- https://www.tomshardware.com/subscription
- NVIDIA Research Unlocks Advanced Grasping, Smarter Autonomous Driving and Agent Training at Scale
- NVIDIA Enables the Next Era Of Physical AI Research With Agent Skills For Autonomous Vehicles, Robotics And Vision AI
- Amazon Prime Day
- Researchers recycle old phones and cluster them into ‘computing platforms’ that operate as a low-cost data center — says processors on modern smartphones delive
- AI costs spike as subscriptions hit pricing wall — firms turn towards Chinese LLMs, open-source models to extend budget
Informational only. No financial advice. Do your own research.