- Researcher Paul found RCE via MITM in AMD’s automatic update, but bounty denied
- AMD introduced extended embargo, later changed disclosure rules after criticism
- The security community pushed back, saying the new policy discourages transparency and undervalues researchers
A security researcher discovered a Remote Code Execution (RCE) vulnerability in an AMD product, but the company reportedly denied him the bug payout it promised for such findings.
In February 2026, a researcher named Paul discovered a potential RCE flaw via a man-in-the-middle (MITM) attack in AMD’s automatically updated software. He reported it to AMD and published a blog post about his findings.
However, AMD said that MITM attacks are not covered by the bounty (despite this being an RCE bug) and asked the researcher to take the blog offline, which he did.
Google is suing
The company asked for a 100-day embargo on breaking the news, as additional tools were also reportedly vulnerable. That embargo later ended up being 124 days, considerably longer than the usual 90-day period.
In his letter, Tom’s hardware contends that this alone merits reconsideration against denying the $10,000 bounty reserved for such errors.
AMD fixed the problem by refactoring the download code in the auto-updater, but then another problem arose: the updater was actually broken and unable to update itself.
To make matters worse, following the news that it denied the researcher the bounty, AMD reportedly updated its bug bounty disclosure rules to expand non-disclosure requirements to cover bugs deemed out of scope. According to TechSpotcritics pointed out “immediately that it appeared to be a direct response to public criticism rather than a pre-existing policy.”
The same publication also said the security community “pushed back hard” as the change effectively “tells future researchers that even if a bug falls outside the bounty scope, they cannot immediately disclose it publicly, removing one of the only tools researchers have to pressure companies to take their findings seriously.”
On Redditcommunity debates whether AMD “appreciates the researchers who bring it critical vulnerabilities”.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
