[tptacek]

AMD didn't deny it was a vulnerability; they denied it was in the scope of the bounty program.

Remember that at giant tech companies, the incentive is to pay out bounties --- there are people on the vendor's team whose performance is measured in part by how much the program pays out.

[gusgus01]

How do we know the incentive is to pay out bounties? And how do we know that doesn't change on the whims of the management chain?

We don't "know" anything unless we are at that company in particular and part of the management conversations. We at best can theorize based on incentives, but that's assuming companies and people are logical, which is a large assumption. I could easily see someone in the midst of layoffs and reduction of overhead initiatives thinking that the solution is to convince everyone you do payouts, but actually minimize payouts, which you could do by creatively using scopes.

[tptacek]

You're right. AMD could for some reason be unlike every other major tech company that runs a bug bounty. Maybe AMD stood up a public bounty where people get their pay docked when bounties get paid, rather than perfed up. They would potentially save, say, 0.000289% of their annual revenue, in exchange for stories like these. Checks out.

[odyssey7]

What hair is this splitting? The issue was that AMD allowed a known and serious security vulnerability to exist within their customers’ systems, for months, and acted with a lack of candor while doing so.

[tptacek]

It's not hair-splitting; it's central to the idea of a bug bounty. Too many people have weird ideas about what bug bounties are for.

[odyssey7]

Okay, fair. I was thinking mostly about the high-impact issue of preserving the security vulnerability and how an essential vendor was not being candid, but you are also right to note how AMD was avoiding its responsibilities to the individual researcher himself.

[tptacek]

I mean I think you think you're doing bank-shot snark here, but what you're really revealing is that your premises hinge on AMD trying to get out of paying a bounty simply to avoid paying it. Since we know up front that's not one of AMD's incentives, what does that do to your argument? It can't help.

[Hizonner]

Yeah, like the weird idea that those programs are intended to in some way reduce the number of exploitable bugs actually out there.

[tptacek]

That's in fact often not their core purpose!

[JumpCrisscross]

What is it?

[tptacek]

(First, I'm sorry I was so terse upthread; I had to get up early for a meeting and was scrolling HN in bed while it was happening without my reading glasses on; I should learn to stop commenting when I'm like that.)

I've written about this before here, but to sum it up:

* Unless something wild happens in software engineering (formal methods, &c) as a result of AI, there's no such thing as eradicating security vulnerabilities. Focused programs can eliminate low-hanging fruit, but at the point where you're offering significant bounties part of the premise is that all that fruit has been plucked. The marginal security impact of a single bounty award, by itself, is immaterial.

* What bounty programs can do is focus internal engineering attention. Large product teams have huge backlogs of issues and security design punch lists. For features and feature bugs, there's a closed loop that prioritizes the work: the market. For security vulnerabilities, bounties serve a similar purpose. This is why many bounties are tightly scoped; the whole point of the program is to direct the efforts of specific product teams.

* When we're talking about 10,000+ person engineering teams, the most important thing to know about bug bounty programs is that the company is incentivized to pay out. No major tech company that runs a bounty is "covering up" vulnerabilities. There's no reason for them to do so. They're running a program that ostentatiously pays rewards to people who report vulnerabilities! There are people on the teams managing the bounties who in effect get paid more when the program pays out more: that's what success looks like.

You add all this stuff up and all the drama about AMD (or Google or whoever) being shady or stingy basically never add up.

[Hizonner]

... which is why the rest of us should give them, and those who operate them, zero respect.

Nobody but AMD gives a fuck about AMD's internal policies or motivations.

[tptacek]

I have thought about AMD's security team and their practices once in the past 18 months, and it was this morning, reading this thread. I do not care about AMD or what you think about AMD. AMD has absolutely nothing to do with my point.

[sakkura]

They wanted to keep it quiet. As if they did not mind if it was exploited by those with access to international network links.