top | item 46909092

(no title)

Hizonner | 24 days ago

Apparently it's also outside the scope of their bug fixing program, despite being trivially remotely exploitable to get privileged code execution.

Man in the middle attacks may be "out of scope" for AMD, but they're still "in scope" for actual attackers.

Ignoring them is indefensibly incompetent. A policy of ignoring them is a policy of being indefensibly incompetent.

discuss

tptacek|24 days ago

The only thing cited here is a response from their bug bounty program. Excluding MITM from a bug bounty is perfectly legitimate. Actually, excluding anything from a bounty program is.

tgsovlerkhgsel|23 days ago

Excluding severe vulnerabilities like ones that completely pwn your machine just by connecting it to an untrusted network is not legitimate for any reasonable bug bounty program.

Of course, a company can do it (they just did!), but it shows that they don't care about security at all.

Especially if the answer is "sorry this is out of scope" rather than "while this is out of scope for our bug bounty so we can't pay you, this looks serious and we'll make sure to get a patch out ASAP".

gusgus01|23 days ago

The response from the screenshot appears to be a "out of scope" response, but the blog poster used some editorial leeway and called it "wont fix/out of scope". Going forward, we can keep de-compiling and seeing if this vulnerability is still there and whether "wont fix" was a valid editorialization.

Though, by publishing this blog and getting on the HN front page, it really skews this datapoint, so we can never know if it's a valid editorialization.

Edit: Ah, someone else in this thread called out the "wont fix" vs "out of scope" after I clicked on reply: https://news.ycombinator.com/item?id=46910233. Sorry.