I don’t have all the facts but based on the article I don’t see the problem everyone seems upset about.
They received the report, decided it was valid but didn’t match a bounty. Then asked him to follow standard responsible disclosure processes giving him credit in the final release. All very standard.
Should there have been a bounty? AMD has the budget, probably yes. But nothing in the communications seems any different from what I’ve seen and have received similar from companies in the past.
Except when he responsibly disclosed to AMD, they closed the ticket as “out of scope” without any further communication. He then made a blog post about it warning other users about the vulnerability since ostensibly, AMD didn’t want to fix it. Only after that post had gone viral AMD suddenly came back saying that despite the ticket being closed as such, their internal security team was still analysing it and he should’ve somehow known that and that he violated the TOC of the bug bounty program (remember, after saying that the vulnerability was out of scope of the program). Additionally AMD then changes those terms a month after the initial ticket to suddenly say that even if the ticket is refused, you’re still not allowed to talk about it. Then to top it off they take a month longer to fix it then is industry standard, don’t disclose the fix to the researcher as is customary until a few days before release and only because he kept badgering them and as the cherry don’t tell their users that the only way to securely fix this is by uninstalling and reinstalling. Everything about it is scummy behaviour all around.
I don’t have all the facts but based on the article I don’t see the problem everyone seems upset about.
They received the report, decided it was valid but didn’t match a bounty. Then asked him to follow standard responsible disclosure processes giving him credit in the final release. All very standard.
Should there have been a bounty? AMD has the budget, probably yes. But nothing in the communications seems any different from what I’ve seen and have received similar from companies in the past.
Except when he responsibly disclosed to AMD, they closed the ticket as “out of scope” without any further communication. He then made a blog post about it warning other users about the vulnerability since ostensibly, AMD didn’t want to fix it. Only after that post had gone viral AMD suddenly came back saying that despite the ticket being closed as such, their internal security team was still analysing it and he should’ve somehow known that and that he violated the TOC of the bug bounty program (remember, after saying that the vulnerability was out of scope of the program). Additionally AMD then changes those terms a month after the initial ticket to suddenly say that even if the ticket is refused, you’re still not allowed to talk about it. Then to top it off they take a month longer to fix it then is industry standard, don’t disclose the fix to the researcher as is customary until a few days before release and only because he kept badgering them and as the cherry don’t tell their users that the only way to securely fix this is by uninstalling and reinstalling. Everything about it is scummy behaviour all around.