• AMD denies researcher $10,000 bug bounty reward despite spotting

    From TechnologyDaily@1337:1/100 to All on Mon Jun 15 13:15:27 2026
    AMD denies researcher $10,000 bug bounty reward despite spotting critical-severity issue

    Date:
    Mon, 15 Jun 2026 12:00:00 +0000

    Description:
    The company updated its bug bounty disclosure rules retroactively.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Researcher Paul found RCE via MITM in AMDs autoupdater, but bounty denied AMD imposed extended embargo, later changed disclosure rules after criticism Security community pushed
    back, saying new policy discourages transparency and undervalues researchers
    A security researcher discovered a remote code execution (RCE) vulnerability in an AMD product, but the company allegedly denied him the bug bounty it promised for such findings.

    In February 2026, a researcher called Paul discovered a potential RCE flaw
    via a man-in-the-middle attack (MITM) in AMDs auto-updated software. He reported it to AMD and published a blog post about his findings. However, AMD said MITM attacks are not covered by the bounty (despite this being an RCE flaw) and asked the researcher to pull the blog offline, which he did. Latest Videos From Watch full video here: Google files a lawsuit The company asked for a 100-day embargo on breaking the news, since additional tools were allegedly vulnerable as well. That embargo later ended up being 124 days, significantly longer than the usual 90-day window.

    In its writeup, Tom's Hardware argues this alone merits reconsideration over denying the $10,000 bounty reserved for such flaws. You may like Disgruntled researcher leaks worrying Windows zero-day security flaw Google will now pay up to $1.5 million for finding Android and Chrome security bugs Disgruntled researcher releases second major Defender zero-day

    AMD addressed the issue by reengineering the download code in the
    autoupdater, but then another issue arose: the updater was actually broken
    and unable to update itself.

    To make matters worse, after news broke that it denied the researcher the bounty, AMD allegedly updated its bug bounty disclosure rules to extend the non-disclosure requirements to cover bugs deemed out of scope. According to TechSpot , critics immediately pointed out it appeared to be a direct
    response to the public criticism rather than a pre-existing policy. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting
    your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

    The same publication also said that the security community pushed back hard, since the change effectively tells future researchers that even if a bug
    falls outside bounty scope, they cannot immediately disclose it publicly, removing one of the only tools researchers have to pressure companies into taking their findings seriously.

    On Reddit , the community discusses if AMD values the researchers who bring
    it critical vulnerabilities. The best antivirus for all budgets Our top
    picks, based on real-world testing and comparisons

    Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/amd-denies-researcher-usd10-000-bug-bou nty-reward-despite-spotting-critical-severity-issue


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)