Recently, a security researcher accused AMD of improper handling of security vulnerabilities reported by him. It not only took 124 days to complete the patch, but also modified the terms of the bug bounty program afterwards, using this as an excuse to refuse to pay him the US$10,000 bonus he should have received, triggering widespread doubts in the industry.

According to reports, the security researcher with the online name "MrBruh" frequently saw the AMD update program console window popping up on his newly assembled gaming PC, so he became suspicious of the automatic update software and started reverse engineering. The analysis results show that although the AMD update program obtains the update list through the HTTPS protocol, the link actually used to download the update executable file uses plain text HTTP, and no effective certificate verification or signature verification is performed before execution. This means that as long as an attacker can be in the same network environment or control the upstream link, there is a chance to replace AMD's update file with a malicious executable program through a man-in-the-middle attack, and the update program itself runs with high privileges, which may lead to remote code execution risks.

MrBruh discovered the vulnerability on January 27 and officially submitted the report through AMD's bug bounty program on February 6. AMD later closed the report on the grounds that the issue was "outside the scope of the plan" and that it involved a man-in-the-middle attack scenario and affected "optional tools", so no bounty would be issued. However, the vulnerability has since been officially numbered CVE-2026-40677 and received a CVSS 4.0 score of 7.7, indicating that its severity is not low. The entire process from reporting to patching and lifting lasted 124 days, with the disclosure ban ending on June 9.

After AMD's initial denial, MrBruh publicly published a technical analysis article, which attracted the attention of communities such as Hacker News. As public opinion fermented, AMD's internal Product Security Incident Response Team (PSIRT) got back in touch with him, saying that the problem was still under evaluation, and asked him to temporarily remove the public article, saying that his disclosure behavior did not seem to comply with the relevant terms of the vulnerability reward program.

An investigation by hardware media Gamers Nexus showed that AMD subsequently adjusted the wording of the rules of its vulnerability reward program. The new terms clearly stipulate that even if a security report is determined to be ineligible for rewards or is not within the scope of the program, researchers are not allowed to publish vulnerability information without the written consent of AMD. In other words, AMD was accused of first denying vulnerability validity and bounty under the old rules, then changing the rules after the fact, and then turned around and accused the researcher of violating a clause that had not yet been written at the time.

At present, AMD has publicly acknowledged the existence of this vulnerability in its official security bulletin, and gave MrBruh a signature in the article. The announcement stated that versions such as AMD Ryzen Master 2.14.3, AMD µProf 5.3 and AMD Management Console 14.0.0 have completed mitigation. AMD told researchers that all update communications have now been fully switched to HTTPS and a signature verification process has been added to the update process. However, MrBruh pointed out after retesting that although he confirmed the use of HTTPS, he only found a CRC32 check on the downloaded executable file, which does not constitute cryptographic signature verification in a security sense.

In addition, the researcher also mentioned that there is another redirection-related flaw in the update program that may cause its own update process to fail to proceed normally. Based on the above issues, MrBruh recommends users to completely uninstall the current AMD-related software and manually download the latest version directly from the AMD official website to reduce potential risks.

This incident not only exposed the security risks in AMD's automatic update mechanism design, but also triggered a discussion about how large manufacturers treat security research groups. Critics from the outside world believe that from initially excluding the issue from the reward program to later modifying the rules to restrict disclosure, AMD's handling method may damage the security community's trust in its vulnerability disclosure system.