AMD denies researcher $10,000 bug bounty reward — despite spotting critical-severity issue

In February 2026, a researcher called Paul discovered a potential RCE flaw via a man-in-the-middle attack (MITM) in AMD’s auto-updated software. He reported it to AMD and published a blog post about his findings.

However, AMD said MITM attacks are not covered by the bounty (despite this being an RCE flaw) and asked the researcher to pull the blog offline, which he did.

Google files a lawsuit

The company asked for a 100-day embargo on breaking the news, since additional tools were allegedly vulnerable as well. That embargo later ended up being 124 days, significantly longer than the usual 90-day window.

In its writeup, Tom's Hardware argues this alone merits reconsideration over denying the $10,000 bounty reserved for such flaws.

AMD addressed the issue by reengineering the download code in the autoupdater, but then another issue arose: the updater was actually broken and unable to update itself.

To make matters worse, after news broke that it denied the researcher the bounty, AMD allegedly updated its bug bounty disclosure rules to extend the non-disclosure requirements to cover bugs deemed out of scope. According to TechSpot, critics “immediately pointed out it appeared to be a direct response to the public criticism rather than a pre-existing policy.”

The same publication also said that the security community “pushed back hard”, since the change effectively “tells future researchers that even if a bug falls outside bounty scope, they cannot immediately disclose it publicly, removing one of the only tools researchers have to pressure companies into taking their findings seriously.”

On Reddit, the community discusses if AMD “values the researchers who bring it critical vulnerabilities”.