[tptacek]

I have thought about AMD's security team and their practices once in the past 18 months, and it was this morning, reading this thread. I do not care about AMD or what you think about AMD. AMD has absolutely nothing to do with my point.

[Hizonner]

You commented on this very issue when it first came up 4 months ago. If I remembered that, so should you. I mean, I'm prepared to believe that you did not think on that occasion, if you want to confirm that's what you mean...

If you don't care about AMD, why are you white-knighting AMD and defending AMD's bad behavior?

But, hey, OK, let's not make it about AMD specifically. It doesn't matter what any company thinks the purpose of its program is, nor does it matter what scope any company unilaterally decides to set for its program. What the outside world is going to see is whether or not you ignore security bugs. Your weird arcane internal policies, justifcations, and "scopes" are irrelevant. And, although I don't honestly care much about "security researchers", you can't really expect them to keep track of your private set of scope rules either... assuming you even tried to tell them the rules in advance to begin with.

[tptacek]

Why do you think we're going to have a productive conversation after accusing me of "white-knighting" for AMD (and how does that even make sense? What's your mental model of why I would be doing that?)

My motivation here is very simple: I think people dunking on AMD's bounty program here mostly don't understand how bug bounties function. You apparently keep track of my comments on HN, so I think you know that's a beat I have here.