Updated

Updated · gadgetreview.com · Jun 12

AMD Refused $10,000 Bounty and Took 124 Days to Patch Critical Updater Flaw

Updated

Updated · gadgetreview.com · Jun 12

AMD Refused $10,000 Bounty and Took 124 Days to Patch Critical Updater Flaw

2 articles · Updated · gadgetreview.com · Jun 12

124 days after a researcher reported it, AMD patched a critical Windows auto-updater flaw that could let attackers execute malicious code during routine software updates.
The vulnerability stemmed from AMD utilities downloading updates over unencrypted HTTP, enabling man-in-the-middle attackers on the same network to swap legitimate files for malware.
AMD declined the expected $10,000 bug bounty, saying man-in-the-middle attacks were excluded, even as it twice sought more time beyond an initial 90-day disclosure window.
The patch moved downloads to encrypted connections, but the updater still relies on CRC32 file validation rather than cryptographic signatures, leaving broader update-security concerns unresolved.

Sources

Center100%

gadgetreview.com5h ago

AMD Refused $10K Bug Bounty, Took 124 Days to Fix Critical Auto-Updater Security Flaw

TechSpot10h ago

AMD patches auto-updater RCE (CVE-2026-40677), criticized for bug bounty rule changes after researcher MrBruh's report

AMD's patch used a simple checksum, not real cryptography. What other basic security flaws are hiding in plain sight?

When a tech giant's security patch is flawed, should we ever trust automatic updates again?

AMD changed its rules to silence a researcher. Is this the future of corporate bug bounty programs?

Related Stories

Sources

2 total

Center100%

gadgetreview.com5h ago

AMD Refused $10K Bug Bounty, Took 124 Days to Fix Critical Auto-Updater Security Flaw

TechSpot10h ago

AMD patches auto-updater RCE (CVE-2026-40677), criticized for bug bounty rule changes after researcher MrBruh's report

Related Stories