AMD denies researcher $10,000 bug bounty reward — despite spotting critical-severity issue

• Researcher Paul found RCE via MITM in AMD’s auto‑updater, but bounty denied
• AMD imposed extended embargo, later changed disclosure rules after criticism
• Security community pushed back, saying new policy discourages transparency and undervalues researchers

A security researcher discovered a remote code execution (RCE) vulnerability in an AMD product, but the company allegedly denied him the bug bounty it promised for such findings.

In February 2026, a researcher called Paul discovered a potential RCE flaw via a man-in-the-middle attack (MITM) in AMD’s auto-updated software. He reported it to AMD and published a blog post about his findings.

However, AMD said MITM attacks are not covered by the bounty (despite this being an RCE flaw) and asked the researcher to pull the blog offline, which he did.

Google files a lawsuit

The company asked for a 100-day embargo on breaking the news, since additional tools were allegedly vulnerable as well. That embargo later ended up being 124 days, significantly longer than the usual 90-day window.

In its writeup, Tom’s Hardware argues this alone merits reconsideration over denying the $10,000 bounty reserved for such flaws.

AMD addressed the issue by reengineering the download code in the autoupdater, but then another issue arose: the updater was actually broken and unable to update itself.

To make matters worse, after news broke that it denied the researcher the bounty, AMD allegedly updated its bug bounty disclosure rules to extend the non-disclosure requirements to cover bugs deemed out of scope. According to TechSpot, critics “immediately pointed out it appeared to be a direct response to the public criticism rather than a pre-existing policy.”

The same publication also said that the security community “pushed back hard”, since the change effectively “tells future researchers that even if a bug falls outside bounty scope, they cannot immediately disclose it publicly, removing one of the only tools researchers have to pressure companies into taking their findings seriously.”

On Reddit, the community discusses if AMD “values the researchers who bring it critical vulnerabilities”.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.