AMD Refused to Pay a Security Researcher After Changing Its Bug Bounty Rules

AMD declined to pay a $10,000 bug bounty to a security researcher who found a critical flaw in the company's auto-updater software, according to reports from Tom's Hardware and TechSpot published on 12 June 2026. The company took 124 days to patch the vulnerability and retroactively altered its bounty program terms before rejecting the payout.

The Vulnerability

The flaw is straightforward and serious: AMD's updater was downloading software patches over plain HTTP instead of the encrypted HTTPS protocol. This is a critical oversight. HTTP provides no protection against interception. An attacker on the same network — or positioned at a network routing point — can intercept the download and swap in malicious code. When the updater installs that code, it runs with the same privileges the updater itself has, often at the system level. This is a textbook attack vector that the software industry largely eliminated from update systems years ago.

The Timeline Problem

AMD took 124 days to release a patch after the researcher reported the vulnerability. Industry standards, established by CERT/CC and widely adopted, expect vendors to fix critical vulnerabilities within 90 days. AMD's timeline fell well short of that expectation.

The broader context here is that this delay exposed AMD's entire installed base — millions of users running AMD graphics drivers and system software — to potential attack during the four-month window. Anyone aware of the flaw could have exploited it on unpatched machines during that time.

The Bounty Dispute

What complicates the story is what happened next. AMD modified its bug bounty program rules before denying the researcher the $10,000 reward. The exact nature of the rule change — whether it narrowed which vulnerabilities qualified, changed payout criteria, or adjusted scope — has not been fully detailed in public reports. What is clear is that the terms shifted after the report was filed, and the researcher contested the denial.

Bug bounty programs rest on a simple contract: a researcher reports a vulnerability privately to a vendor, and the vendor pays an agreed amount and fixes the problem. When a company changes the rules after receiving a report, that contract becomes meaningless. From the researcher's perspective, the calculation that led to reporting privately — rather than selling the vulnerability elsewhere or disclosing it publicly — has been upended retroactively.

What This Means for AMD and Others

The 124-day patch timeline and the bounty denial are separate technical issues, but together they paint a picture of a vulnerability management process that stumbled on both the engineering and the business sides. A researcher who waited four months for a patch and received no payment has little reason to engage AMD's bounty program in the future. More broadly, other researchers watching this situation may think twice before reporting flaws to AMD privately.

Bug bounty programs are recruiting tools as much as security programs. They signal to the security research community whether a vendor is a trustworthy partner. AMD has not yet made a detailed public statement explaining the rule change or defending its decision. That silence means the researcher's account stands as the primary record.

The auto-updater itself deserves attention here. These programs run frequently, often without user interaction, and users implicitly trust them. Sending updates over unencrypted HTTP to millions of machines is not a corner case. Modern practice — certificate pinning, signed update manifests, encrypted delivery — is now standard. High-profile supply chain attacks like SolarWinds years ago made the theoretical risk real for both technical teams and executives.

In my view, AMD's immediate reputational challenge is bigger than the $10,000. How the company responds publicly in the coming weeks will shape whether researchers see it as a credible partner in vulnerability disclosure or whether this becomes a lasting signal that AMD is not worth the trouble.