Skip to content
Tech News
← Back to articles

AMD Stiffs Researcher $10k Bug Bounty

2026-06-12 | original
read original get AMD Ryzen Threadripper CPU → more articles
Why This Matters

This incident highlights the importance of secure update mechanisms in the tech industry, as vulnerabilities in trusted processes can lead to widespread security risks for consumers. It also underscores the need for better incentives and transparency in vulnerability disclosures to encourage researchers to report flaws responsibly. For consumers, it serves as a reminder to stay vigilant about software security and updates from hardware vendors.

Key Takeaways

Al is a long time tech writer with a penchant for all things nerdy. While he writes for Gadget Review, he manages a team of review writers, ensuring their content is nothing short of perfect.

Al is a long time tech writer with a penchant for all things nerdy. While he writes for Gadget Review, he manages a team of review writers, ensuring their content is nothing short of perfect.

Finding a critical security vulnerability should get you rewarded, not stiffed. AMD’s auto-updater was downloading software over insecure HTTP connections, letting network attackers slip malicious code onto your system during routine updates. The researcher who found this remote code execution flaw expected a $10,000 bounty. Instead, AMD fixed the problem after four months and paid nothing.

The Flaw That Could Own Your System

A trusted update process became an open highway for malware delivery.

Paul LaRosa discovered that AMD’s Windows auto-updater—used by Ryzen Master and other utilities—was grabbing updates through unencrypted HTTP connections. Anyone positioned on your network could perform a man-in-the-middle attack, swapping legitimate driver downloads with malware. Think of it like ordering food delivery but letting strangers intercept and replace your meal between the restaurant and your door. Your system would happily install whatever the attacker served up, believing it came from AMD.

This affects you if you’ve used AMD utilities that handle automatic updates. The vulnerability created a highway for attackers to achieve remote code execution, essentially gaining control of your machine through what should be a trusted update process.

Four Months of “Just a Little More Time”

What started as a 90-day disclosure window stretched into a four-month waiting game.

AMD acknowledged the flaw was real but refused the bounty, citing policy exclusions for man-in-the-middle attacks. The company asked LaRosa to delay public disclosure in February, promising a fix within 90 days—standard practice in security research. Then AMD asked for more time. Then more again. The final patch arrived 124 days after the initial report.

... continue reading

Explore topics: amd ryzen master auto-updater man-in-the-middle security vulnerability
Related:
Display Driver Uninstaller completely wipes your GPU drivers for a fresh start
Anti-Nvidia Data-Center Startup Is Valued at $1.55 Billion in New Funding Round
GPU-Z remains the go-to tool for detailed graphics card info
Anti-Nvidia Data Center Startup Is Valued at $1.55 Billion in New Funding Round
AMD Radeon RX 9070 XT drops to $649 in early Prime Day deal

© 2026 GoKawiil

About | Editorial Policy | Contact