What's Happening?
AMD faced criticism after denying a $10,000 bounty to a security researcher, MrBruh, who discovered a vulnerability in its auto-updater software. The flaw, identified on January 27, 2026, allowed potential man-in-the-middle attacks due to the use of plain
HTTP for executable downloads and lack of certificate validation. Despite reporting the issue on February 6, AMD initially dismissed it as 'out of scope' and did not award a bounty. The vulnerability was later assigned CVE-2026-40677 with a CVSS score of 7.7. After public disclosure, AMD updated its bug bounty rules to require non-disclosure without written consent, a change criticized for being retroactively applied. AMD has since patched the vulnerability, but questions remain about the adequacy of the fix.
Why It's Important?
This incident highlights the challenges and complexities in the relationship between tech companies and security researchers. The handling of the vulnerability by AMD raises concerns about transparency and the effectiveness of bug bounty programs. Such programs are crucial for identifying and mitigating security risks, but their success depends on fair and timely recognition of researchers' contributions. The situation also underscores the importance of secure software update mechanisms, as vulnerabilities in these systems can lead to severe security breaches, affecting users and potentially leading to significant reputational damage for companies.
