A security researcher who uncovered a critical-severity remote code execution (RCE) vulnerability in an AMD product has been denied the promised $10,000 bug bounty, according to a TechRadar report. The incident has sparked backlash from the security community and raised questions about AMD’s vulnerability disclosure policies.
The Vulnerability
In February 2026, a researcher identified only as Paul discovered a potential RCE flaw via a man-in-the-middle (MITM) attack in AMD’s auto-updater software. He reported the issue to AMD and published a blog post detailing his findings. However, AMD told Paul that MITM attacks are not covered by its bug bounty program, despite the flaw being an RCE vulnerability — a standard critical-severity category.
AMD also asked Paul to take his blog post offline, which he did. The company requested a 100-day embargo on public disclosure, citing that additional tools were potentially vulnerable. That embargo ultimately lasted 124 days, significantly longer than the industry-standard 90-day window. In its writeup, Tom's Hardware argued that this alone merited reconsideration of the bounty denial.
The Bug Bounty Dispute
AMD’s decision to deny the $10,000 reward — the amount promised for such critical flaws — drew immediate criticism. The company addressed the technical issue by reengineering the download code in the auto-updater, but a second problem emerged: the updater was broken and unable to update itself.
AMD’s handling has been further complicated by a subsequent policy change. According to TechSpot, AMD updated its bug bounty disclosure rules to extend non-disclosure requirements to cover bugs deemed out of scope. Critics immediately pointed out that the change appeared to be a direct response to public criticism rather than a pre-existing policy.
"It appeared to be a direct response to the public criticism rather than a pre-existing policy." — TechSpot, on AMD's rule change
Industry Backlash
The security community pushed back hard against the revised policy. TechSpot noted that the change effectively tells future researchers that even if a bug falls outside bounty scope, they cannot immediately disclose it publicly, removing one of the only tools researchers have to pressure companies into taking their findings seriously.
On Reddit, the community debated whether AMD truly values the researchers who bring it critical vulnerabilities. The broader implication for enterprise technology leaders is clear: bug bounty programs rely on trust and transparency. A policy that appears punitive can deter researchers from reporting flaws, potentially leaving critical vulnerabilities unpatched.
| Event | Date | Details |
|---|---|---|
| Vulnerability reported | February 2026 | Paul discovers RCE via MITM in AMD auto-updater |
| Bounty denied | February 2026 | AMD says MITM not covered, asks for blog removal |
| Embargo | 124 days | Originally 100 days, extended beyond typical 90-day window |
| Code fix applied | Post-disclosure | AMD reengineers download code but breaks updater self-update |
| Policy change | After backlash | AMD extends non-disclosure scope to out-of-scope bugs |
For CTOs and cybersecurity leaders, the AMD case underscores the importance of clear, consistent bug bounty policies. Denying a reward for a technically valid RCE finding — even if the attack vector is MITM — risks alienating the ethical hacker community that often serves as a first line of defense.
Sources:
