AMD changes rules, denies researcher $10,000 bounty after taking 124 days to patch security flaw

midian182

Posts: 11,706   +177
Staff member
WTF?! AMD has patched a remote code execution vulnerability in its auto-updater software, but there's a lot more to this story. The company is facing a slew of criticism over how it handled the researcher who reported it. Team Red first dismissed the bug as "out of scope," then asked him to stay quiet, then changed its rules after the fact to make that silence a requirement.

The vulnerability was discovered by security researcher MrBruh after an AMD updater console window kept appearing on his new gaming PC.

Decompiling the software revealed that while AMD's updater pulled its update list over HTTPS, the executable download links themselves used plain HTTP. Worse still, the updater apparently performed no certificate validation or real signature check before running the downloaded file.

That vulnerability could allow a man-in-the-middle attack. Someone on the same network, or in a position to interfere with the connection further upstream, could potentially replace AMD's update file with a malicious executable. Because the updater runs with elevated privileges, the result could be remote code execution.

After discovering it on January 27, MrBruh reported the issue to AMD on February 6 through its bug bounty program. The company's response was to close the report because it was deemed "out of scope," as it involved a man-in-the-middle attack and affected optional tools. That meant no bounty, despite the bug later receiving CVE-2026-40677 and a CVSS 4.0 score of 7.7. The full process lasted 124 days, with the embargo ending on June 9.

After MrBruh published his findings and the post gained traction on Hacker News, AMD's internal PSIRT team reappeared to say the issue was still being reviewed. The company then asked him to take the post down while it worked on a fix, saying the disclosure did not appear to comply with the program's terms.

According to Gamers Nexus, AMD later changed the wording of its bug bounty rules to state that researchers must not disclose vulnerability information without AMD's written consent even if a report is deemed ineligible for a bounty or out of scope. It seems AMD accused MrBruh of breaking a rule it introduced only after he violated it.

AMD's official bulletin now acknowledges the vulnerability and credits MrBruh. It lists AMD Ryzen Master 2.14.3, AMD µProf 5.3, and AMD Management Console 14.0.0 as mitigated versions. But the patch still raises questions.

AMD told MrBruh that all update communications now use HTTPS and that updates undergo signature verification. The researcher says he verified the HTTPS claim, but found only a CRC32 check on the downloaded executable, which is not considered a cryptographic signature.

MrBruh also says a separate redirection bug means the updater may not be able to update itself properly. He recommends that users fully uninstall AMD's software and download the latest versions manually from the company's website instead.

Permalink to story:

 
Seems to me AMD and mrbruh did not enter a contract since amd declined his findings, so AMD was not in a position to stipulate any ”rules” on mrbruh.
 
Disgraceful that AMD won't honour their pledge to pay bounty hunters. As Steve said there is no use any longer to inform AMD, as they will change their rules to retroactively deny you your claim, and hackers might as well sell the bug online.
 
I think AMD should have paid him. Having said that, it's getting tiresome to read about "security vulnerabilities" where you have to open the case and do x, y and z. Or "someone with administration privileges" can read the memory contents with..... In this case, it has to be a man in the middle attack during an update, on the network, etc.

These bounties need to get a tier system based on how likely the conditions are met to take advantage of the bug. There's a huge difference to a list being exposed to anyone who logs into someplace, and you need access to the hardware as well as admin privileges.
 
AMD, Microsoft, and others have been quite poor when it comes bug bounty programs. These companies don't seem to understand the point of them, instead they'll get bit in the *** eventually (Microsoft already has been by Nightmare Eclipse).
 
AMD is not your friend.......as the saying goes. But then again, who gives a flying ****? It's just another POS corporation pedaling AI.
 
Bug bounty programs only work when researchers trust the process. Saving $10,000 today could cost AMD far more if the next person decides disclosure is easier than spending four months being ignored.
 
What does AMD gain from this? Whoever, in the chain of command, decided to that this was a good idea and actualize it, needs to be fired.

You do not want to be setting a precedent like, "if you find a bug in our software, we will ingest the data, deny you compensation and then change the rules after the fact to make our f*ck up 'part of the contractual agreement'." Do you want customers? Because even if you've deluded yourself into thinking that getting out of the retail business entirely, in favor of AI and enterprise exclusively makes good business sense, companies still want assurances that your software stack isn't lousy with bugs and exploits.

You can't just say "deal with it", when multi-hundred million dollar contracts are on the line. That's a class-action lawsuit waiting to happen.
 
"He recommends that users fully uninstall AMD's software " FALSE.

you only need to uninstall amd install manager (which I always do because it's REDUNDANT ).
 
If I ever found a serious flaw of any kind I'd exploit the crap out of it. I'll serve humanity not these dirty corporate slugs 😆 tick-tock 🕜 and don't for one moment think I'm the only one thinking this way. More and more hackers are dis.RUP.ting! They are getting pi#$$ed!
 
If I ever found a serious flaw of any kind I'd exploit the crap out of it. I'll serve humanity not these dirty corporate slugs 😆 tick-tock 🕜 and don't for one moment think I'm the only one thinking this way. More and more hackers are dis.RUP.ting! They are getting pi#$$ed!

In this instance (and in most instances) you would only hit the end users.
 
I think AMD should have paid him. Having said that, it's getting tiresome to read about "security vulnerabilities" where you have to open the case and do x, y and z. Or "someone with administration privileges" can read the memory contents with..... In this case, it has to be a man in the middle attack during an update, on the network, etc.

These bounties need to get a tier system based on how likely the conditions are met to take advantage of the bug. There's a huge difference to a list being exposed to anyone who logs into someplace, and you need access to the hardware as well as admin privileges.
Hay... Maybe they can use A I to set up that tier system.
/s
 
Back