๐Ÿ‡จ๐Ÿ‡ณStalecollected in 14h

AMD accused of delaying patches and withholding bug bounties

AMD accused of delaying patches and withholding bug bounties
PostLinkedIn
๐Ÿ‡จ๐Ÿ‡ณRead original on cnBeta (Full RSS)

๐Ÿ’กUnderstand the risks of working with hardware vendors' bug bounty programs to protect your research efforts.

โšก 30-Second TL;DR

What Changed

AMD allegedly took 124 days to address a reported security vulnerability.

Why It Matters

This controversy may damage AMD's reputation within the white-hat hacker community, potentially discouraging future responsible disclosures. It highlights the importance of clear, immutable security disclosure policies for hardware vendors.

What To Do Next

If you are a security researcher, always document bug bounty terms in writing before submitting critical vulnerabilities to hardware vendors.

Who should care:Researchers & Academics

Key Points

  • โ€ขAMD allegedly took 124 days to address a reported security vulnerability.
  • โ€ขThe company reportedly modified its bug bounty program terms retroactively.
  • โ€ขA $10,000 reward was withheld from the researcher following the policy change.
  • โ€ขThe incident has drawn criticism from the cybersecurity community regarding transparency.

๐Ÿง  Deep Insight

Web-grounded analysis with 8 cited sources.

๐Ÿ”‘ Enhanced Key Takeaways

  • โ€ขThe security researcher involved in the dispute is identified as Paul, also known as MrBruh.
  • โ€ขThe vulnerability (CVE-2026-40677) was a Remote Code Execution (RCE) flaw in AMD's auto-updater software, exploitable via a Man-in-the-Middle (MITM) attack due to insecure HTTP downloads and lack of proper certificate/signature validation.
  • โ€ขAMD initially dismissed the reported bug as "out of scope" for its bug bounty program, despite it later receiving a CVSS 4.0 score of 7.7, indicating a significant severity.
  • โ€ขAMD reportedly updated its bug bounty policy after the researcher's public disclosure gained traction, retroactively adding a clause that prohibits researchers from disclosing vulnerability information without AMD's written consent, even for out-of-scope reports.
  • โ€ขThe incident has drawn widespread criticism from the cybersecurity community, with experts warning that such corporate actions could undermine the integrity of coordinated vulnerability disclosure and deter future responsible reporting.

๐Ÿ› ๏ธ Technical Deep Dive

  • The vulnerability (CVE-2026-40677) was a Remote Code Execution (RCE) flaw found in AMD's auto-updater software.
  • The core issue was that while the updater pulled its update list over HTTPS, the actual executable download links used plain HTTP.
  • The updater reportedly lacked proper certificate validation or real signature checks before executing downloaded files, making it susceptible to Man-in-the-Middle (MITM) attacks.
  • An attacker could exploit this by replacing legitimate update files with malicious executables, which would then run with elevated privileges due to the updater's permissions.
  • Affected mitigated versions include AMD Ryzen Master 2.14.3, AMD ยตProf 5.3, and AMD Management Console 14.0.0.
  • Although AMD reportedly reengineered the download code, the new version still uses the CRC32 hash for file validity checks, which is not considered cryptographically secure.

๐Ÿ”ฎ Future ImplicationsAI analysis grounded in cited sources

AMD's reputation among security researchers may suffer, potentially leading to fewer responsible disclosures.
The perceived retroactive policy change and denial of bounty could discourage researchers from reporting vulnerabilities to AMD, opting instead for public disclosure or selling flaws on the black market.
The incident could prompt other companies to review and clarify their bug bounty program terms to prevent similar disputes.
The controversy highlights ambiguities in bug bounty policies, particularly regarding out-of-scope findings and disclosure requirements, which other companies might seek to address proactively.
Increased scrutiny on corporate ethics in vulnerability disclosure and bug bounty programs is likely.
The debate sparked by this incident could lead to broader industry discussions and calls for more transparent and consistent practices in handling security research and rewards.

โณ Timeline

2026-01-27
Security researcher MrBruh discovers an RCE vulnerability in AMD's auto-updater software.
2026-02-06
MrBruh reports the vulnerability to AMD through its bug bounty program.
2026-02
AMD initially closes the report as 'out of scope' and later requests MrBruh to temporarily remove his public blog post.
2026-06-09
AMD releases a fix for the vulnerability, 124 days after the initial finding.
2026-06-12
News breaks about AMD denying the $10,000 bug bounty and retroactively changing its bug bounty policy after MrBruh's public disclosure.

๐Ÿ“Ž Sources (8)

Factual claims are grounded in the sources below. Forward-looking analysis is AI-generated interpretation.

  1. tomshardware.com
  2. techspot.com
  3. reddit.com
  4. reddit.com
  5. reddit.com
  6. reddit.com
  7. reddit.com
  8. reddit.com
๐Ÿ“ฐ

Weekly AI Recap

Read this week's curated digest of top AI events โ†’

๐Ÿ‘‰Related Updates

AI-curated news aggregator. All content rights belong to original publishers.
Original source: cnBeta (Full RSS) โ†—