• isekaihero@ani.social
    link
    fedilink
    English
    arrow-up
    0
    ·
    28 days ago

    The obvious solution to this is to not seek the bug bounty. The next time a critical security vulnerability is found, sell it to the highest bidder. I’m sure there are black hats out there willing to pay the money that the megacorp refuses to pay out.

    • riko@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      arrow-down
      1
      ·
      28 days ago

      That is essentially the behavior AMD is incentivizing here.

  • iturnedintoanewt@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    30 days ago

    Holy crap. I’d say not to buy AMD if you value your security (i have an AMD CPU and the Deck too). You already know the next vulnerability they’re going to be the last ones to find out. In the news, probably.

    • Peter1986C@nord.pub
      link
      fedilink
      English
      arrow-up
      0
      ·
      29 days ago

      The Steam Deck does run Linux right? Generally that means the used drivers are not written by AMD and also do not have an auto-updater from AMD. The deck is supposed to update through it’s OS’es package manager and supposedly has the Mesa and Linux Foundation drivers in use.

      • BlackLaZoR@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        28 days ago

        AMD does contribute to MESA and kernel driver. It’s all open source, but they do lot of heavy lifting regardless

  • 🇨🇦 tunetardis@piefed.ca
    link
    fedilink
    English
    arrow-up
    0
    ·
    30 days ago

    Researcher commenting on the patch:

    he remarks that the software only checks the validity of the downloaded file using the ancient CRC32 hash that isn’t considered cryptographically secure anymore

    I have to respect the researcher for his incredibly charitable wording here. CRC32 is not even remotely crypto. That’s never been its purpose, and using it for digital signing is patently insane!

    I fear I would have had a much shorter temper after what he’s been through, and yet here he is keeping his cool and his criticism constructive. Good on him.

  • kuhli@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    0
    arrow-down
    1
    ·
    29 days ago

    Y’all really need to read past the headline:

    the bug that Paul found seemingly wouldn’t be triggered anyway, as the relevant section of the code wasn’t being called to begin with

    • AAA@feddit.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      28 days ago

      If it’s in the code, it’s a bug. If it’s not used, then remove it entirely. Everything in the code should be treated as operational.

    • rustydrd@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      29 days ago

      I guess it’s one of those “justifiable but unwise” sort of things. If your company is doing a bug bounty program to stay on top of security vulnerabilities, what you don’t want is to create the perception that the work of devs who look for these vulnerabilities isn’t appreciated, for example, by skimping on bounties over technicalities.

      Paying the 10k doesn’t ruin the company and allows them to fix a section of code that may become a vulnerability in the future. Not paying the 10k saves them 10k at the price of the devs’ trust that keeps this program effective. From a financial point of view, this is some very poor decision making.