AMD Refuses To Pay A $10,000 Bug Bounty For A Flaw It Never Caught

The semiconductor company AMD operates a product security bug bounty program that awards up to $30,000 to security researchers who report a discovered vulnerability within AMD's products. But when a New Zealand researcher identified a remote code execution (RCE) vulnerability in AMD's AutoUpdate software, the company refused to pay the $10,000 bounty that this type of bug should have been worth.

The researcher in question is a 22-year-old programmer who goes by Paul. He posted about the situation on his MrBruh blog, where he details how he discovered the flaw and how easily a malicious party could exploit the RCE vulnerability to execute a man-in-the-middle (MITM) attack on your network. Despite the severity of this bug and the possibility that it could have affected millions of users, it took AMD a whopping 124 days to patch it — a fact that you might want to keep in mind when you're deciding whether Intel or AMD is better for your next computer.

AMD acknowledged Paul's findings and even took action based on his report, so why aren't they paying the bounty? Despite the fact that Paul drew attention to a major bug, the terms of the bounty program state that MITM attacks are outside the scope of the program. The report was closed, and to add salt to the wound, Paul was asked to remove his original blog post on the matter for an indefinite period.

Like any company, AMD has its ups and downs. They recently earned some goodwill after announcing that older AMD graphics cards will soon receive a free major upgrade. However, the situation surrounding Paul raises questions about AMD's consideration for its consumers and community members. The big question stemming from all of this is: Should you be worried about security if you have AMD components in your computer?

The good news is that AMD did patch the AutoUpdate bug that Paul brought to light. AMD published a CVE report on June 12 that includes details on the issue and actions taken. Before this fix, users were exposed to potential MITM attacks for as many as 124 days. This type of attack entails eavesdropping or even placing code directly between the target and the application they're using. This was made possible because malicious parties could perform a simple RCE to, as Paul explained, "replace the network response with any malicious executable of their choosing."

If you use AMD products with auto-update functionality, you might still be affected by the AMD bug that Paul discovered. In Paul's republished blog post about the RCE vulnerability, he recommends that AMD users should "uninstall everything" and download the latest versions of AMD software from the official website. And of course, you should always use security apps that actually protect your computer.