AMD faces backlash over alleged bug bounty denial and changed disclosure rules

Based on information from Tech Radar, a security researcher has sparked controversy after AMD allegedly denied a bug bounty for a critical remote code execution (RCE) vulnerability discovered in the company's auto-updater software. The situation has escalated with criticism directed at AMD's handling of the disclosure and subsequent changes to its bug bounty program rules.

A researcher identified as Paul reportedly found a remote code execution flaw via a man-in-the-middle attack in AMD's auto-updater. Despite reporting the vulnerability, AMD reportedly denied the $10,000 bug bounty, claiming man-in-the-middle attacks were outside the scope of their program, even though the flaw allowed for RCE. This occurred after an extended 124-day embargo period, significantly longer than the standard 90 days, during which AMD addressed the vulnerability by reengineering the download code, the researcher said.

Following public criticism, AMD allegedly revised its disclosure rules, extending non-disclosure requirements to bugs deemed out of scope. This move has drawn sharp criticism from the security community, who argue it discourages transparency and undervalues researchers' contributions, potentially hindering public disclosure of critical vulnerabilities.

Source: Tech Radar