Наталя Хандусенко That's Life 12 June 2026, 14:11

AMD refused to pay researcher $10,000 reward after fixing critical vulnerability — patch took 124 days

AMD refused to pay a security researcher a $10,000 bounty for the bug he found, despite his efforts and cooperation with the company.

Leave a comment

AMD refused to pay researcher $10,000 reward after fixing critical vulnerability — patch took 124 days

AMD refused to pay a security researcher a $10,000 bounty for the bug he found, despite his efforts and cooperation with the company.

A security researcher has discovered a critical vulnerability in AMD's auto-update software that could allow remote code execution (RCE) via a man-in-the-middle (MITM) attack, writes Tom's Hardware.

A researcher named Paul submitted a report through AMD's bug bounty program, hoping to both fix the issue and receive an RCE bounty. However, the report was rejected because MITM attacks were not covered by the program's rules. Despite this, Paul deleted his blog post describing the situation at AMD's request.

Now this post has reappeared, and this whole story raises a lot of questions about the company's actions.

First, the good news: the update utility seems to have finally been patched, and if you download the latest version of AMD's software package, you'll get a patched version. However, the road to this result was far from easy, and to this day, Paul has apparently not received a penny for his efforts.

The updated post contains the full story, which went like this: Back in February, when AMD asked Paul to temporarily remove the blog post, the company promised to file a CVE, patch the software, and credit him for the discovery, though no reward was offered. Paul agreed (which he now regrets), but asked about AMD’s timeline, and offered the industry-standard 90-day window after which he could go public again.

In response, AMD noted that it “will likely require a longer embargo as the issue appears to have affected other tools besides Ryzen Master, and they will also need updates.” This statement was interesting for a few reasons: First, it raises the question of why AMD took so long to implement a fix that apparently involved replacing just one character in the code—“http” with “https.” Second, if the issue was so serious that it took so long to fix, then clearly Paul’s work deserved some kind of reward. Third, as Paul himself noted, if the issue seemed so urgent, why wasn’t it given a higher priority?

Despite this, he eventually agreed to a 100-day window and reached out to AMD for updates just before the deadline. However, he was again asked for more time, explaining that “the bug affected multiple tools” and “[AMD] customers are requesting more time after the fixes become available.” AMD eventually got back to him and said that the patch would be ready on June 9th—a total of 124 days after the vulnerability was first discovered.

To its credit, AMD appears to have completely reworked the auto-updater's download code, and Paul confirmed that the new version does indeed download drivers securely. However, he noted that the software only validates the downloaded file using the outdated CRC32 hash, which is no longer considered cryptographically secure.

But this is where the real irony begins: according to one Reddit user, the bug that Paul found probably wouldn’t have worked anyway, since the relevant section of code wasn’t called at all. This means that the auto-updater was broken from the start. It was a vicious cycle: AMD couldn’t update the updater because the update function wasn’t working, forcing users to download everything again manually.

AMD's Senior Director of AI believes that "Claude has regressed" and "cannot be trusted to perform complex engineering tasks."

AMD and NVIDIA plan to increase graphics card prices simultaneously starting in 2026

New multi-billion dollar deal: AMD will provide OpenAI with chips, in return, ChatGPT developer may receive up to 10% of the company's shares