AMD Refused to Pay $10,000 for Bug Fix, Then Changed Its Own Rules

AMD declined to pay a $10,000 bug bounty to a security researcher who reported a serious flaw in the company's auto-updater software. The company also changed the terms of its bounty program before making that decision, according to reporting by Tom's Hardware and TechSpot on 12 June 2026.

The vulnerability was straightforward: AMD's software updater was downloading updates using HTTP, an older internet protocol without built-in security protections. Think of it like mailing a package without sealing it. Anyone positioned along the delivery route — say, a hacker on your coffee shop's WiFi or intercepting your internet traffic — could open that package and swap the real software update for a malicious one. When your computer installed what it thought was a legitimate AMD update, it would actually be running malware with the full power that updater software grants it.

This is not a subtle flaw. The software industry has used the more secure HTTPS protocol as standard practice for delivering updates for years now. What makes this particular case newsworthy is the timeline and what happened next.

AMD took 124 days to release a patch after the researcher reported the problem. The standard in the security industry is 90 days — a window that gives vendors time to fix the issue without leaving vulnerable systems exposed for months. AMD missed that benchmark considerably.

Then the dispute over payment began. According to the reporting, AMD changed the rules of its bug bounty program before refusing to pay the $10,000 the researcher had been promised. Exactly how AMD rewrote those rules remains unclear from public accounts so far. What is established is that the change came after the researcher reported the bug.

The logic of a bug bounty program is straightforward: a security researcher discovers a flaw, reports it privately to the company instead of selling it on the black market or publishing it publicly, and the company pays them. When a company shifts the terms of that agreement retroactively — after the researcher has already done the work — the deal collapses. That matters beyond this single case. Other security researchers watching this situation will think twice before reporting flaws to AMD. If you are a researcher deciding whether to trust a company with sensitive information, and you see that company move the goalposts after the fact, you move on.

AMD has not issued a detailed public explanation of why it changed its bounty rules or why it declined to pay, as of 12 June 2026.

The broader context here worth considering: auto-updaters run with high privileges on your machine. They operate quietly in the background, and most people trust them implicitly. AMD has a large customer base across both consumer and business computers. The period between when the researcher disclosed this flaw and when AMD released a patch — those 124 days — was a window when anyone who knew about the vulnerability could have exploited it on unpatched machines. That is a material risk to real systems.

HTTP-based updates were once common across the industry. That is no longer acceptable. Major software vendors switched to HTTPS, pinned certificates to prevent tampering, and signed their updates years ago. The high-profile SolarWinds breach — where hackers compromised the company's update mechanism and distributed malicious code to thousands of customers — made clear to executives and engineers alike that software distribution is a critical security border. AMD's failure on this front falls short of modern expectations.

For AMD, the cost of this dispute will likely extend beyond the $10,000 at stake. Bug bounty programs are a recruiting tool for the security research community. They send a signal: does this company honor its commitments when security researchers bring them vulnerabilities responsibly. How AMD responds publicly in coming days will shape whether this becomes a one-time friction with researchers, or the beginning of deeper trust problems between AMD and the security community.