AMD accused of delaying patches and withholding bug bounties

๐กUnderstand the risks of working with hardware vendors' bug bounty programs to protect your research efforts.
โก 30-Second TL;DR
What Changed
AMD allegedly took 124 days to address a reported security vulnerability.
Why It Matters
This controversy may damage AMD's reputation within the white-hat hacker community, potentially discouraging future responsible disclosures. It highlights the importance of clear, immutable security disclosure policies for hardware vendors.
What To Do Next
If you are a security researcher, always document bug bounty terms in writing before submitting critical vulnerabilities to hardware vendors.
Key Points
- โขAMD allegedly took 124 days to address a reported security vulnerability.
- โขThe company reportedly modified its bug bounty program terms retroactively.
- โขA $10,000 reward was withheld from the researcher following the policy change.
- โขThe incident has drawn criticism from the cybersecurity community regarding transparency.
๐ง Deep Insight
Web-grounded analysis with 8 cited sources.
๐ Enhanced Key Takeaways
- โขThe security researcher involved in the dispute is identified as Paul, also known as MrBruh.
- โขThe vulnerability (CVE-2026-40677) was a Remote Code Execution (RCE) flaw in AMD's auto-updater software, exploitable via a Man-in-the-Middle (MITM) attack due to insecure HTTP downloads and lack of proper certificate/signature validation.
- โขAMD initially dismissed the reported bug as "out of scope" for its bug bounty program, despite it later receiving a CVSS 4.0 score of 7.7, indicating a significant severity.
- โขAMD reportedly updated its bug bounty policy after the researcher's public disclosure gained traction, retroactively adding a clause that prohibits researchers from disclosing vulnerability information without AMD's written consent, even for out-of-scope reports.
- โขThe incident has drawn widespread criticism from the cybersecurity community, with experts warning that such corporate actions could undermine the integrity of coordinated vulnerability disclosure and deter future responsible reporting.
๐ ๏ธ Technical Deep Dive
- The vulnerability (CVE-2026-40677) was a Remote Code Execution (RCE) flaw found in AMD's auto-updater software.
- The core issue was that while the updater pulled its update list over HTTPS, the actual executable download links used plain HTTP.
- The updater reportedly lacked proper certificate validation or real signature checks before executing downloaded files, making it susceptible to Man-in-the-Middle (MITM) attacks.
- An attacker could exploit this by replacing legitimate update files with malicious executables, which would then run with elevated privileges due to the updater's permissions.
- Affected mitigated versions include AMD Ryzen Master 2.14.3, AMD ยตProf 5.3, and AMD Management Console 14.0.0.
- Although AMD reportedly reengineered the download code, the new version still uses the CRC32 hash for file validity checks, which is not considered cryptographically secure.
๐ฎ Future ImplicationsAI analysis grounded in cited sources
โณ Timeline
๐ Sources (8)
Factual claims are grounded in the sources below. Forward-looking analysis is AI-generated interpretation.
Weekly AI Recap
Read this week's curated digest of top AI events โ
๐Related Updates
AI-curated news aggregator. All content rights belong to original publishers.
Original source: cnBeta (Full RSS) โ

