AMD Stiffs Researcher $10,000 Bug Bounty After Essential Security Flaw, Takes 124 Days to Fix

Finding a vital safety vulnerability ought to get you rewarded, not stiffed. AMD’s auto-updater was downloading software program over insecure HTTP connections, letting community attackers slip malicious code onto your system throughout routine updates. The researcher who discovered this distant code execution flaw anticipated a $10,000 bounty. Instead, AMD mounted the issue after 4 months and paid nothing.

The Flaw That Could Own Your System

A trusted replace course of grew to become an open freeway for malware supply.

Paul LaRosa found that AMD’s Windows auto-updater—utilized by Ryzen Master and different utilities—was grabbing updates via unencrypted HTTP connections. Anyone positioned in your community may carry out a man-in-the-middle attack, swapping respectable driver downloads with malware. Think of it like ordering meals supply however letting strangers intercept and change your meal between the restaurant and your door. Your system would fortunately set up regardless of the attacker served up, believing it got here from AMD.

This impacts you if you happen to’ve used AMD utilities that deal with computerized updates. The vulnerability created a freeway for attackers to realize remote code execution, basically gaining management of your machine via what needs to be a trusted replace course of.

Four Months of “Just a Little More Time”

What began as a 90-day disclosure window stretched right into a four-month ready sport.

AMD acknowledged the flaw was actual however refused the bounty, citing coverage exclusions for man-in-the-middle assaults. The firm requested LaRosa to delay public disclosure in February, promising a repair inside 90 days—commonplace apply in safety analysis. Then AMD requested for extra time. Then extra once more. The closing patch arrived 124 days after the preliminary report.

Compare that timeline to safety finest practices: vital vulnerabilities needs to be patched inside 5-14 days, not over 4 months. It’s like your physician discovering most cancers and scheduling remedy for subsequent season. Some flaws demand urgency, particularly these affecting computerized replace mechanisms that customers belief to maintain them safe.

Still Using Weak Security After the “Fix”

The patch solved one drawback however left deeper safety weaknesses untouched.

AMD reengineered the auto-updater to make use of encrypted downloads, however the repair reveals deeper issues. The up to date software program nonetheless validates downloaded information utilizing CRC32—a checksum that’s about as safe as a display screen door. Modern software program ought to use cryptographically signed updates that may’t be solid, not checksums that decided attackers can manipulate.

This case exposes how main distributors deal with safety: repair the speedy drawback, keep away from paying researchers via coverage loopholes, and depart underlying weaknesses in place. You’re left questioning which different “secure” auto-updaters are equally weak, and whether or not corporations care extra about their bug bounty price range than your system safety.