Business CircleBusiness Circle
  • Home
  • AI News
  • Startups
  • Markets
  • Finances
  • Technology
  • More
    • Human Resource
    • Marketing & Sales
    • SMEs
    • Lifestyle
    • Trading & Stock Market
What's Hot

17 Halloween Costumes Your Kid Will Still Be Wearing In March

July 3, 2026

If I Had to Start Over in Real Estate Today, I’d Do This

July 3, 2026

Stop Calling It SEO: 12 Strategies To Dominate AI Search in 2026

July 3, 2026
Facebook Twitter Instagram
Friday, July 3
  • Advertise with us
  • Submit Articles
  • About us
  • Contact us
Business CircleBusiness Circle
  • Home
  • AI News
  • Startups
  • Markets
  • Finances
  • Technology
  • More
    • Human Resource
    • Marketing & Sales
    • SMEs
    • Lifestyle
    • Trading & Stock Market
Subscribe
Business CircleBusiness Circle
Home » AMD changes rules, denies researcher $10,000 bounty after taking 124 days to patch security flaw
Technology

AMD changes rules, denies researcher $10,000 bounty after taking 124 days to patch security flaw

Business Circle TeamBy Business Circle TeamJune 12, 2026No Comments3 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
AMD changes rules, denies researcher ,000 bounty after taking 124 days to patch security flaw
Share
Facebook Twitter LinkedIn Pinterest Email


WTF?! AMD has patched a distant code execution vulnerability in its auto-updater software program, however there’s much more to this story. The corporate is going through a slew of criticism over the way it dealt with the researcher who reported it. Workforce Purple first dismissed the bug as “out of scope,” then requested him to remain quiet, then modified its guidelines after the very fact to make that silence a requirement.

The vulnerability was found by safety researcher MrBruh after an AMD updater console window stored showing on his new gaming PC.

Decompiling the software program revealed that whereas AMD’s updater pulled its replace checklist over HTTPS, the executable obtain hyperlinks themselves used plain HTTP. Worse nonetheless, the updater apparently carried out no certificates validation or actual signature examine earlier than working the downloaded file.

That vulnerability might permit a man-in-the-middle assault. Somebody on the identical community, or ready to intervene with the connection additional upstream, might probably change AMD’s replace file with a malicious executable. As a result of the updater runs with elevated privileges, the consequence may very well be distant code execution.

After discovering it on January 27, MrBruh reported the difficulty to AMD on February 6 by means of its bug bounty program. The corporate’s response was to shut the report as a result of it was deemed “out of scope,” because it concerned a man-in-the-middle assault and affected non-compulsory instruments. That meant no bounty, regardless of the bug later receiving CVE-2026-40677 and a CVSS 4.0 rating of seven.7. The total course of lasted 124 days, with the embargo ending on June 9.

After MrBruh printed his findings and the submit gained traction on Hacker Information, AMD’s inside PSIRT crew reappeared to say the difficulty was nonetheless being reviewed. The corporate then requested him to take the submit down whereas it labored on a repair, saying the disclosure didn’t seem to adjust to this system’s phrases.

Based on Avid gamers Nexus, AMD later modified the wording of its bug bounty guidelines to state that researchers should not disclose vulnerability data with out AMD’s written consent even when a report is deemed ineligible for a bounty or out of scope. It appears AMD accused MrBruh of breaking a rule it launched solely after he violated it.

AMD’s official bulletin now acknowledges the vulnerability and credit MrBruh. It lists AMD Ryzen Grasp 2.14.3, AMD µProf 5.3, and AMD Administration Console 14.0.0 as mitigated variations. However the patch nonetheless raises questions.

AMD informed MrBruh that every one replace communications now use HTTPS and that updates bear signature verification. The researcher says he verified the HTTPS declare, however discovered solely a CRC32 examine on the downloaded executable, which isn’t thought of a cryptographic signature.

MrBruh additionally says a separate redirection bug means the updater could not be capable to replace itself correctly. He recommends that customers absolutely uninstall AMD’s software program and obtain the most recent variations manually from the corporate’s web site as a substitute.



Source link

AMD bounty days denies flaw patch researcher rules Security
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Business Circle Team
Business Circle Team
  • Website

Related Posts

Popular Potato Chips Face FDA’s Most Serious Recall: What to Know

July 3, 2026

Best laptops under $500: Top budget choices for 2026

July 2, 2026

Verizon’s latest $10 freebie crashed harder than anyone expected

July 2, 2026

Apple’s entry-level MacBook Pro could be up for a redesign

July 2, 2026
LATEST UPDATES

17 Halloween Costumes Your Kid Will Still Be Wearing In March

July 3, 2026

If I Had to Start Over in Real Estate Today, I’d Do This

July 3, 2026

Stop Calling It SEO: 12 Strategies To Dominate AI Search in 2026

July 3, 2026

Lululemon Quilty Pleasures Shoulder Bag Mini 5L just $39 shipped (Reg. $98)!

July 3, 2026

Popular Potato Chips Face FDA’s Most Serious Recall: What to Know

July 3, 2026

Netflix Shares Jumping 5.4% on Comcast Spinoff Could Rejuvenate Its Depressed Stock

July 3, 2026

Subscribe to Updates

Get the latest sports news from SportsSite about soccer, football and tennis.

Business, Finance and Market Growth News Site

Important Pages
  • Advertise with us
  • Submit Articles
  • About us
  • Contact us
Recent Posts
  • 17 Halloween Costumes Your Kid Will Still Be Wearing In March
  • If I Had to Start Over in Real Estate Today, I’d Do This
  • Stop Calling It SEO: 12 Strategies To Dominate AI Search in 2026
© 2026 BusinessCircle.co
  • Privacy Policy
  • Terms and Conditions
  • Cookie Privacy Policy
  • Disclaimer
  • DMCA

Type above and press Enter to search. Press Esc to cancel.