Global semiconductor company AMD is facing criticism from the cybersecurity community after a security researcher accused the company of mishandling a vulnerability disclosure and later changing its bug bounty rules.
The controversy has sparked wider debate over how major technology companies work with independent researchers, especially when serious vulnerabilities are reported but later labelled “out of scope” for reward programs.
The issue was raised by independent researcher Paul LaRosa, known online as “MrBruh,” who claimed that a flaw in AMD’s software updater mechanism could potentially allow attackers to execute malicious code under specific conditions.
Vulnerability Found in AMD Software Updater
According to the researcher, the vulnerability existed in software responsible for downloading and installing updates on user systems, including tools such as AMD’s Ryzen Master gaming utility.
He claimed that while the updater retrieved update lists over secure HTTPS connections, some executable download links relied on standard HTTP.
Cybersecurity experts warn that this kind of setup can expose users to man-in-the-middle attacks, where an attacker intercepts or alters network communication between two parties.
Risk of Malicious Update Replacement
If successfully exploited, an attacker positioned on the same network or capable of interfering with internet traffic could potentially replace a legitimate software update with a malicious file.
Because software update tools often run with elevated system privileges, such a flaw could carry serious consequences, including remote code execution and wider system compromise.
However, analysts later noted an unusual twist. A broken segment in the update script reportedly prevented the vulnerable routine from being called naturally, meaning the tool was technically too broken to trigger the exploit unless forced.
Researcher Says Report Was Closed as Out of Scope
The researcher said he reported the vulnerability to AMD through its bug bounty program on the Intigriti platform on February 5.
According to his account, AMD closed the report soon after, stating that the issue was outside the scope of the company’s reward program because it involved a man-in-the-middle attack scenario.
As a result, he was deemed ineligible for a potential top-tier remote code execution bounty payout of around $10,000, or approximately ₹8.5 lakh.
Blog Post Triggered Fresh Engagement
The dispute escalated after MrBruh briefly published a blog post describing the flaw.
AMD’s Product Security Incident Response Team reportedly contacted him again, asking him to take down the post and follow a temporary non-disclosure embargo while the company evaluated a cross-product fix.
Although AMD allegedly promised to issue a standard CVE and credit the researcher, it continued to deny the bounty payout.
The researcher claimed the embargo was repeatedly extended, and the fix was finally rolled out on June 9 after 124 days.
Updated Bug Bounty Rules Draw Criticism
Further criticism emerged after researchers noticed changes to AMD’s bug bounty program conditions.
The updated policy language reportedly added strict disclosure restrictions, stating that researchers must not publish proof-of-concept material on platforms such as YouTube or personal blogs without AMD’s prior written consent.
The rule also applies even when a report is considered ineligible for bounty or outside the scope of the program.
Cybersecurity advocates argue that such rules can discourage responsible disclosure by limiting researchers while also allowing companies to avoid payouts.
Patch Fixes HTTPS Issue but Debate Continues
AMD has reportedly patched the updater to enforce encrypted HTTPS downloads.
However, the researcher claimed that the company replaced the issue with a weak CRC32 hash verification routine rather than using full cryptographic signature verification.
Security experts generally view cryptographic signing as a stronger method for ensuring software authenticity because it verifies that downloaded files genuinely come from the trusted publisher and have not been tampered with.
Why the Cybersecurity Community Is Concerned
The incident has raised broader concerns about fairness in bug bounty programs.
Independent researchers often spend significant time identifying and responsibly reporting security flaws. If companies classify serious bugs as out of scope, deny payments and still impose strict silence requirements, researchers may lose trust in coordinated disclosure systems.
Cybersecurity advocates warn that poor handling of disclosures could push some researchers toward private buyers or underground markets instead of official reporting channels.
Strong Security Review Is Essential
The controversy highlights the importance of transparent vulnerability handling, secure update systems and independent technical review.
For technology companies and businesses, weak verification processes can expose users to serious risks. Professional auditing services in india can help organisations assess internal controls, review security-related processes and identify compliance gaps before they result in reputational or operational damage.
Shunyatax Global Insight
At Shunyatax Global, we believe trust is built through transparency, accountability and responsible governance. Whether in cybersecurity, finance or business operations, organisations must respond to reported risks fairly and strengthen systems before vulnerabilities become larger threats.
For more updates on cybersecurity, compliance, taxation, technology risk and business governance, visit Shunyatax.in and stay connected with Shunyatax Global.