- Researcher Paul found RCE via MITM in AMD’s automatic updater, but was denied the bounty
- AMD imposed extended embargo, then changed disclosure rules after criticism
- The security community responded, saying the new policy discourages transparency and undervalues investigators.
A security researcher discovered a remote code execution (RCE) vulnerability in an AMD product, but the company allegedly denied him the bug bounty he promised for such findings.
In February 2026, a researcher named Paul discovered a possible RCE flaw through a man-in-the-middle (MITM) attack on AMD’s self-updating software. He reported it to AMD and published a blog post about his findings.
However, AMD said that MITM attacks are not covered by the bounty (even though this is an RCE flaw) and asked the researcher to take the blog offline, which he did.
Google files a lawsuit
The company requested a 100-day embargo to break the news, as the additional tools were also allegedly vulnerable. That embargo later ended up being 124 days, much longer than the usual 90-day period.
In his writing, Tom Hardware argues that this alone merits reconsideration rather than denying the $10,000 reward reserved for such defects.
AMD fixed the problem by redesigning the download code in the automatic updater, but then another problem arose: the updater was actually broken and couldn’t update itself.
To make matters worse, after it was revealed that it denied the researcher the bounty, AMD reportedly updated its bug bounty disclosure rules to extend non-disclosure requirements to cover bugs deemed out of scope. According Technological pointCritics “immediately noted that it appeared to be a direct response to public criticism rather than a pre-existing policy.”
The same post also said it was “strongly pushed back” by the security community, as the change effectively “tells future researchers that even if a bug falls outside the scope of the bounty, they can’t immediately disclose it publicly, removing one of the only tools researchers have to pressure companies to take their findings seriously.”
In redditThe community discusses whether AMD “values researchers who provide it with critical vulnerabilities.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
