AMD is facing criticism after a security researcher reported a critical flaw in its driver auto-update system, only to be denied the promised $10,000 bug bounty even though the company eventually shipped a fix 124 days later. The case centers on a remote code execution path reached through a man-in-the-middle attack, the sort of bug vendors love to describe as ”out of scope” right up until they patch it.
The researcher filed the report through AMD’s vulnerability reward program and expected the usual payout for an RCE-class issue. AMD rejected the claim, saying MITM scenarios like this are not covered by its payment policy. That stance is legally tidy and reputationally messy: security teams want clear rules, but researchers also want to know why a vulnerability is worth fixing fast and somehow still not worth paying for.
What the AMD bug report described
The reported flaw involved AMD software that could be manipulated during the update process, allowing an attacker in the middle of the connection to potentially trigger code execution. In plain English, that means the update path itself became the attack surface, which is exactly the kind of place where users expect a vendor to be paranoid.
AMD did not leave the issue untouched. It ultimately released a patch, but the fix took 124 days and went through multiple deadline shifts before landing. That kind of delay is not unusual in security work, especially when a patch touches update infrastructure, but it does make a refusal to pay look stingier than strategic.
Why AMD bug bounty policies keep causing friction
Bug bounty programs work best when the reward matches the risk, yet companies often carve out exceptions that leave researchers guessing. MITM bugs sit in a gray zone for many vendors: serious enough to merit a fix, convenient enough to exclude from payment if the policy language is narrow.
That mismatch matters because coordinated disclosure depends on trust. The researcher agreed to an embargo and temporarily pulled the public write-up, which is exactly the behavior vendors say they want. If the payout still disappears after that, the next researcher may decide public embarrassment pays better than private reporting.
AMD security program payout dispute in brief
- Reported issue: critical vulnerability in AMD’s automatic driver update system
- Attack path: remote code execution via man-in-the-middle technique
- Company response: patch released after 124 days
- Reward outcome: promised $10,000 was not paid
The uncomfortable question now is whether AMD’s policy is too narrow for the kind of bugs modern software actually produces. Update channels, sign-in flows, and driver tooling are common targets because they sit at the center of trust. If vendors keep defining them out of bounty coverage, they may find fewer people willing to help clean up the mess.