AMD changes rules, denies researcher $10,000 bounty after taking 124 days to patch security flaw

Key Points:

• AMD patched a remote code execution vulnerability in its auto-updater software that allowed man-in-the-middle attacks due to insecure HTTP download links and lack of proper signature verification.
• Security researcher MrBruh discovered the flaw and reported it to AMD, but the company initially dismissed the bug as "out of scope," denied a bounty, and later changed its bug bounty rules to require silence even on out-of-scope reports.
• After public disclosure by MrBruh, AMD acknowledged the vulnerability, credited him, and released patched versions of affected software, though questions remain about the effectiveness of the fix, particularly regarding signature verification.
• MrBruh verified that update communications now use HTTPS but found only a CRC32 check on downloaded executables, which is insufficient for cryptographic security, and also identified a redirection bug that may hinder the updater's functionality.
• Due to ongoing concerns, the researcher advises users to fully uninstall AMD's updater software and manually download the latest versions from AMD's website for improved security.