AMD denies researcher $10,000 bug bounty reward — despite spotting critical-severity issue
- Researcher Paul found RCE via MITM in AMD’s auto‑updater, but bounty denied
- AMD imposed extended embargo, later changed disclosure rules after criticism
- Security community pushed back, saying new policy discourages transparency and undervalues researchers
A security researcher discovered a remote code execution (RCE) vulnerability in an AMD product, but the company allegedly denied him the bug bounty it promised for such findings.
In February 2026, a researcher called Paul discovered a potential RCE flaw via a man-in-the-middle attack (MITM) in AMD’s auto-updated software. He reported it to AMD and published a blog post about his findings.
However, AMD said MITM attacks are not covered by the bounty (despite this being an RCE flaw) and asked the researcher to pull the blog offline, which he did.
Google files a lawsuit
The company asked for a 100-day embargo on breaking the news, since additional tools were allegedly vulnerable as well. That embargo...
Copyright of this story solely belongs to techradar.com. To see the full text click HERE
