AMD is facing heat after a security researcher said he found a critical flaw in the company’s automatic driver update system, reported it through AMD’s vulnerability program, and still walked away empty-handed. The bug allegedly allowed remote code execution through a man-in-the-middle attack, and AMD eventually shipped a fix after 124 days.
The dispute is a bad look for any vendor, especially one selling into enterprise and gaming markets where driver software is supposed to be boring, predictable, and mostly invisible. Instead, this one turned into a long patch cycle and a bounty dispute that highlights the gap between ”we take security seriously” and ”we’ll actually pay for it.”
AMD driver update flaw and the reported attack path
According to the researcher, the issue sat inside AMD’s automatic update flow and could be abused in a MITM scenario to trigger code execution. In plain English: if an attacker can wedge themselves between two devices on the network, a trusted update path can become an attack path. That is exactly the kind of thing security teams are paid to worry about.
- Type of flaw: potential remote code execution
- Attack method: man-in-the-middle interception
- Location: AMD’s driver update software
Why AMD denied the $10,000 bounty
The researcher expected the standard $10,000 payout for an RCE-class report, but AMD rejected the claim, saying MITM-style scenarios do not fall under its payout policy. That may satisfy a rulebook, but it also creates the sort of incentive problem that can make researchers think twice before reporting the next serious bug instead of just talking about it publicly.
There’s a familiar pattern here. Security programs often promise clear rewards, then carve out so many exceptions that the headline number looks generous while the real-world payout rate tells a different story. Meanwhile, the company still gets the fix it needed.
124 days to patch the driver issue
AMD did patch the problem, but the timeline stretched to 124 days. The researcher also said the remediation process saw repeated schedule changes and a widening scope of affected components, which is rarely the sign of a tidy little bug. He agreed to an embargo and temporarily pulled the public write-up while the issue was being handled.
That leaves AMD in the awkward position of having both the vulnerability and the reputational mess resolved only halfway: the software is fixed, but the bounty dispute is still the story people will remember. If the company wants future reporters to follow the rules, it may need a tighter and more transparent policy than ”thanks, but no thanks.”