AMD Denies $10,000 Bounty After Critical Vulnerability Discovery

A security researcher discovered a critical vulnerability in AMD's auto-updater software that allowed remote code execution via man-in-the-middle attacks. The flaw was reported on February 6, 2026, but AMD initially deemed it 'out of scope' for their bug bounty program. After 124 days, the vulnerability was patched, but AMD changed its rules retroactively to deny the researcher a $10,000 bounty. The vulnerability, now identified as CVE-2026-40677, involved the use of unencrypted HTTP connections for updates. Although AMD acknowledged the issue and credited the researcher, the patch still raises concerns about the security of the update process. The researcher verified that while HTTPS was implemented, the downloaded files were only checked using an outdated CRC32 hash. This incident has sparked significant criticism regarding AMD's handling of the situation.

Key Points: • AMD denied a $10,000 bounty for a critical vulnerability discovered by a researcher. • The vulnerability, CVE-2026-40677, allowed remote code execution via man-in-the-middle attacks. • AMD changed its bug bounty rules retroactively, raising ethical concerns about its disclosure policies.