June 12, 2026

Patch me outside, AMD

Article URL →HN comments →

AMD Stiffs Researcher $10k Bug Bounty

AMD fixed the danger, skipped the cash, and left commenters asking who the real fool is

TLDR: AMD fixed a serious update flaw that could have let attackers slip malware onto people’s computers, but the researcher says he got no $10,000 reward and had to wait four months. Commenters were furious, with some arguing this is exactly how companies discourage honest bug reports and fuel darker choices.

A security researcher says AMD left the front door wide open by letting one of its Windows update tools fetch software in an unsafe way, meaning someone on the same network could potentially swap in malware during a normal update. AMD eventually fixed it after about four months, but the real fireworks started when the company reportedly paid nothing on a bug bounty the researcher expected to be worth $10,000. That detail turned the comment section from mild concern into full-on "are you kidding me?" mode.

The hottest reaction came from users who saw this as a terrible message to security researchers: find a serious problem, wait months, then maybe get a polite shrug. One especially grumpy commenter, wilburTheDog, went straight for the moral crisis at the center of bug bounties, asking when it starts making more sense to go "black hat" if companies reward good-faith reporting with "more than the finger." That’s the kind of comment that lands like a brick because it says the quiet part out loud: if companies don’t pay or move fast, why should anyone help them?

There was also a little classic internet chaos. One commenter simply dropped the researcher’s own write-up, while another rolled in with the ultimate forum buzzkill: "[dupe]" and a link to an older thread, because no online pile-on is complete without someone acting like the repost police. The result? A familiar tech drama cocktail: corporate policy loopholes, security panic, and a comment section torn between anger, cynicism, and the dark humor of watching a giant company save money in the worst possible way.

Key Points

  • The article says AMD’s Windows auto-updater downloaded software over insecure HTTP, exposing users to interception and tampering.
  • Researcher Paul LaRosa reported the flaw, which the article describes as enabling remote code execution through a man-in-the-middle attack.
  • According to the article, AMD acknowledged the issue but declined a $10,000 bug bounty because its policy excluded man-in-the-middle attacks.
  • The article states that AMD requested repeated disclosure delays and released a patch 124 days after the initial report.
  • The patch reportedly moved downloads to encrypted transport, but the article says the updater still uses CRC32 rather than cryptographic signatures for validation.

Hottest takes

"more than the finger" — wilburTheDog
"At what point does it become more sensible to black hat these zero days?" — wilburTheDog
"[dupe]" — ChrisArchitect

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.