Global semiconductor giant AMD has found itself at the center of a cybersecurity controversy after a security researcher accused the company of mishandling the disclosure of a serious software vulnerability and subsequently changing its bug bounty rules. The incident has sparked debate within the cybersecurity community over how technology companies engage with independent researchers and manage responsible vulnerability disclosure programs.
The controversy revolves around a vulnerability discovered by an independent security researcher known online as “MrBruh” (identified as Paul LaRosa). According to the researcher, the flaw existed within AMD’s software updater mechanism and could potentially allow attackers to execute malicious code under specific circumstances. The issue was reportedly found in software responsible for downloading and installing updates on users’ systems, such as the Ryzen Master gaming utility.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
The Broken Insecure Update Loop
MrBruh claimed that while examining the updater, he discovered that update lists were retrieved over secure HTTPS connections, but some executable download links relied on standard HTTP. He further alleged that the updater lacked sufficiently robust verification mechanisms before executing downloaded files. Such a configuration, according to cybersecurity experts, could expose users to man-in-the-middle (MITM) attacks, where an attacker intercepts and alters communications between two parties.
If exploited successfully, an attacker positioned on the same network—or capable of interfering with network traffic—could potentially replace a legitimate software update with a malicious file. Because update tools often operate with elevated system privileges, the resulting impact could be significant, including remote code execution (RCE) and broader system compromise. Irony struck later when analysts noticed that a broken segment in the update script actually prevented the vulnerable routine from being called naturally, meaning the tool was technically too broken to execute its own exploit until forced.
A 124-Day Embargo With Zero Payout
According to the researcher, the vulnerability was reported to AMD through its bug bounty program managed on the Intigriti platform on February 5. However, AMD immediately closed the report, stating that the issue fell outside the scope of the company’s reward program because it involved an MITM attack scenario. As a result, the researcher was deemed entirely ineligible for a potential top-tier RCE bounty payment of approximately $10,000 (around ₹8.5 lakh).
The dispute escalated after MrBruh briefly published a blog post exposing the flaw. AMD’s Product Security Incident Response Team immediately re-engaged with the researcher, asking him to take down his post and agree to a temporary non-disclosure embargo while they evaluated a cross-product fix. Though AMD promised to issue a standard CVE and credit him, they held firm on denying the $10,000 payout. The company repeatedly extended the embargo window, taking a staggering 124 days to roll out a patch that went live on June 9.
Retroactive Gag Rules Spark Backlash
Further controversy emerged when researchers noticed that AMD heavily revised the legal language of its bug bounty program conditions. The updated policy guidelines added strict safe-harbor restrictions, explicitly stating that hackers are barred from publishing proofs-of-concept on platforms like YouTube or personal blogs even if their report is deemed completely ineligible or “out of scope” by the corporate triage team.
“You agree to adhere to any embargoes and refrain from discussing or disclosing any Vulnerability information without AMD’s prior written consent… even if the report is deemed ineligible for bounty or is out of scope.”
– Excerpt from AMD’s updated Program Conditions
While AMD has since patched the updater to enforce encrypted HTTPS downloads, MrBruh highlighted that the company merely replaced the issue with a weak CRC32 hash verification routine rather than deploying true cryptographic signature signing. Cybersecurity advocates argue that by exploiting policy loopholes to skip payouts while enforcing retroactive gag rules, tech giants risk driving top independent talent to sell critical zero-day flaws to underground brokers instead of disclosing them safely.
