AMD Denies $10,000 Bounty After 124-Day Patch of HTTP MITM Flaw in Auto-Updater
AMD refused the bounty after a 124-day fix cycle on an HTTP MITM flaw affecting auto-updates. The patch left CRC32 validation in place. This case illustrates standard vendor tactics for limiting researcher compensation while extending disclosure windows.
LaRosa reported the remote code execution risk in AMD's Ryzen Master and related utilities in February 2024. The updater retrieved files over plaintext HTTP, enabling network attackers to substitute malicious payloads during trusted update flows. AMD acknowledged the report, requested extended disclosure windows beyond the standard 90 days, and delivered the patch on day 124 while denying payment under an MITM policy exclusion.
The 124-day interval exceeds typical critical vulnerability timelines of 5-14 days. Post-patch binaries continue to rely on CRC32 checksum validation rather than cryptographic signatures, leaving the mechanism susceptible to tampering. Comparable cases at Intel and NVIDIA show bounty payouts issued within 30 days of patch release when disclosure timelines were met.
This incident aligns with documented patterns where vendors invoke narrow policy clauses to avoid payouts on high-impact but technically common flaw classes. The combination of delayed remediation and retained weak integrity checks increases exposure for systems running AMD management software. Researchers have escalated similar non-payment disputes to coordinated disclosure lists and regulatory filings.
AMD has not published an updated bounty policy or CVE entry. Future reports on the same updater components are expected to route through public channels rather than coordinated programs.
AMD: Revised bounty policy excluding MITM cases published within 90 days or public CVE assigned.
Sources (2)
- [1]Researcher Report and Timeline(https://github.com/paullarosa/AMD-AutoUpdater-Vuln)
- [2]AMD Security Advisories(https://www.amd.com/en/corporate/product-security)