AMD Denies $10,000 Bounty to Researcher Who Exposed Flawed Auto-Updater

AMD rejected a $10,000 bug bounty for Paul LaRosa after he reported a critical remote code execution flaw in its auto-updater. The company took 124 days to patch the HTTP vulnerability, retroactively altered program rules, and cited out-of-scope policies despite issuing a CVE. The case exposes tensions in how vendors reward security research.
AMD Denies $10,000 Bounty to Researcher Who Exposed Flawed Auto-Updater
Written by Emma Rogers

Paul LaRosa found the flaw almost by accident. A pop-up from AMD’s auto-updater kept appearing on his new gaming PC. He investigated. What he uncovered was a remote code execution vulnerability that let attackers on the same network inject malicious updates over plain HTTP.

The discovery set in motion a four-month saga. AMD first dismissed the report. Then it asked LaRosa to stay silent. The company took 124 days to ship a fix. And in the end it paid nothing. The episode has sparked fresh debate about how chipmakers handle security researchers. It also highlights gaps that persist even after companies launch formal bounty programs.

LaRosa reported the issue through AMD’s bug bounty platform on Intigriti in February. The program, relaunched in 2024 with rewards up to $30,000, seemed like the right channel. An RCE bug in update software carried obvious risk. Attackers could sit on a local network, tamper with downloads, and gain control of systems running AMD software. Tom’s Hardware first detailed the denial and timeline.

Yet AMD rejected the submission. Man-in-the-middle attacks sat explicitly out of scope. Company representatives told LaRosa the bug didn’t qualify. He took down his initial blog post at their request. Cooperation seemed straightforward. Then months passed.

AMD later reached out. It acknowledged the problem. Officials requested an embargo while they worked on a patch. They promised resolution inside 90 days, the common industry window. LaRosa agreed. The clock started. But the fix didn’t arrive on time. Extensions followed. The patch finally landed on June 9. That marked 124 days from initial disclosure. The associated CVE-2026-40677 carries a CVSS score of 7.7. TechSpot reported the rule changes and researcher frustration.

By then the dynamic had shifted. AMD updated its bounty terms. New language made public discussion or certain disclosures violations. The company applied those changes retroactively to LaRosa’s case. His earlier blog post, even though removed at their ask, became grounds to deny payment. No bounty. No reward. Just a thank you in the security bulletin.

The original Gadget Review coverage captured the core grievance. AMD’s auto-updater downloaded software without proper signature verification or HTTPS. Network adversaries could replace legitimate packages with malware. The impact reached Ryzen Master and other tools that millions of users run. A compromised update mechanism strikes at the heart of system trust.

Researchers who spoke on background describe similar patterns. Companies invite reports through shiny platforms. When inconvenient flaws surface they retreat behind policy fine print. LaRosa cooperated fully. He withheld publication. He waited. The delay stretched beyond standard timelines. Industry observers note that 124 days exceeds the 90-day norm many vendors tout.

AMD’s product security page directs all reports to Intigriti. The program lists clear severity tiers. Critical bugs can command $15,000 or more. Discretion rests entirely with AMD. Bounty amounts, timing, even eligibility remain at the company’s sole judgment. That clause appears in black and white. It gives legal cover. It also breeds skepticism when researchers feel the process lacks transparency.

News of the dispute spread quickly on X. Users called the decision shortsighted. One popular post tallied over 1,200 likes within hours. Commenters questioned whether saving $10,000 justified the reputational hit. Security professionals warned that such episodes discourage future reports. Why hunt bugs if companies rewrite rules after the fact?

The vulnerability itself wasn’t exotic. It stemmed from basic oversights in how the updater fetched files. No encryption. No strong authentication. Local network access sufficed for exploitation. In corporate environments or shared Wi-Fi that vector becomes realistic. Gamers running Ryzen Master on home networks faced exposure too.

AMD eventually issued a fix. It assigned a CVE. The security bulletin thanked LaRosa by name for his contribution. Public credit arrived. Monetary compensation did not. The researcher reposted his analysis once the embargo lifted. Details of the back-and-forth emails surfaced. They paint a picture of initial dismissal followed by delayed engagement.

This isn’t AMD’s first brush with bounty controversy. The company expanded its program only two years ago to broaden participation. Rewards looked generous on paper. Yet cases like this test whether the system delivers on its promise. Other vendors have faced parallel criticism. Microsoft drew fire for its handling of certain researchers. The pattern suggests structural tensions remain.

LaRosa’s experience carries lessons. Clear policies matter. So does consistent application. Retroactive rule changes erode confidence. Extended patch timelines without communication leave researchers in limbo. And when a bug receives a CVE and ships a fix, the original finder deserves more than a footnote.

Chipmakers ship software alongside silicon these days. Ryzen Master, auto-updaters, management tools. They expand the attack surface. Security bounties exist to surface flaws before adversaries do. When those programs falter the entire supply chain feels the strain.

AMD has not commented publicly beyond its bulletin. The Intigriti page still lists the program with its original reward ranges. Out-of-scope categories remain. Man-in-the-middle attacks sit among them. That stance shields against theoretical network attacks. But when real impact follows, as it did here, the distinction feels academic to many.

Security teams inside large hardware firms walk a tightrope. They must triage thousands of reports. Many prove low quality or duplicative. Budgets aren’t unlimited. Yet the cost of ignored or underpaid findings can dwarf a $10,000 payout. Brand damage spreads fast in researcher circles. Future submissions may dry up. Or worse, researchers might choose full disclosure over cooperation.

The episode also raises questions about update infrastructure across the industry. Many vendors still rely on HTTP for legacy reasons. Signature checks help but aren’t foolproof if the delivery channel stays weak. Modern expectations favor HTTPS everywhere plus certificate pinning or other defenses. AMD’s patch presumably addressed the core weakness. Users should apply it.

For now the story serves as a cautionary tale. LaRosa did the work. He followed the process. He waited the extra weeks. The company fixed the bug. Recognition came in one form but not the one that matters most to independent researchers who invest unpaid time.

Whether this changes AMD’s approach remains unclear. The backlash has been swift and visible. Similar disputes have prompted policy tweaks at other firms. Greater transparency around bounty decisions could help. So could faster timelines and clearer communication when delays occur.

One thing is certain. The flaw was real. The fix mattered. And the researcher who brought it forward walked away empty-handed. That outcome leaves a sour taste across the security community at a time when hardware trust faces growing scrutiny.

Subscribe for Updates

SecurityProNews Newsletter

News, updates and trends in IT security.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us