The RCE that AMD wouldn't fix
6.9 relevance
Score Breakdown
technical depth 8
novelty 7
actionability 5
community 8
strategic 6
personal 7
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
AMD RCE vulnerability disclosure is technically deep and relevant to infrastructure security.
Summary
A researcher discovered a trivial RCE vulnerability in AMD's AutoUpdate software, where executable download URLs use HTTP instead of HTTPS, enabling MITM attacks to replace binaries with malicious executables. AMD's bug bounty program rejected the report as out of scope (MITM attacks not covered), but after public attention on Hacker News, AMD's PSIRT issued a CVE and promised a fix, while requesting an extended embargo beyond the standard 90-day disclosure period.