AMD fixed a critical flaw in its driver update system after 124 days, but the researcher who reported the AMD security bug says the promised $10,000 bounty never arrived. The dispute centers on a remote code execution path tied to a man-in-the-middle attack, the kind of bug vendors usually prefer to pay for quietly rather than argue about in public.
That makes this more than a payout spat. It is a familiar tension in bug bounty programs: companies want external researchers to find dangerous holes early, but they also tend to narrow the definition of what qualifies for cash once the report lands. Here, AMD reportedly leaned on policy language to reject the claim even after shipping a fix.
The bug lived in AMD’s update path
According to the researcher, the vulnerability could have enabled remote code execution through a man-in-the-middle attack against AMD software used for automatic driver updates. In plain English: intercept the update flow at the right moment, and you may be able to push malicious code instead of a legitimate package.
AMD eventually patched the issue, but the fix did not move quickly. The remediation process stretched over 124 days, with repeated deadline slips and an expanded scope as more affected components came into view. That is not unusual in software security, but it does suggest the original problem was wider than a neat one-off bug.
Why the bounty was denied
The researcher says he submitted the report through AMD’s vulnerability reward program and expected the standard payout for an RCE-class issue. AMD, however, declined to pay, arguing that man-in-the-middle scenarios do not fall under the company’s bounty policy. So the vendor got the warning, got the patch, and apparently decided that was enough, thank you very much.
Security teams often rely on outside researchers to catch update-chain bugs before attackers do. The awkward part is that update systems are exactly where trust, networking, and code execution collide, which makes them valuable targets and messy cases for reward programs that prefer tidy categories.
What this says about bug bounty programs
Cases like this tend to discourage the very people vendors want on their side. If a researcher can be kept waiting through months of patching and then turned away on a technicality, the message to the community is blunt: report responsibly, but do not expect the paperwork to be equally responsible.
The bigger question is whether AMD’s policy is too narrow for the kind of attack paths modern software actually exposes. Update mechanisms, cloud services, and signed delivery chains have blurred the old borders between network attacks and code execution, and bounty programs that do not adapt will keep looking surprisingly out of date.