TechDisputed*

Corrected

AMD refused $10K bug bounty after researcher found critical flaw in its auto-updaterresearcher found a critical RCE in AMD's auto-updater and got stiffed on the $10k bounty

Q: AMD's Windows auto-updater downloaded software over insecure HTTP, enabling network-based malware injection.

Status: sourced. Sources under review.

Q: Researcher Paul LaRosa reported the critical remote code execution vulnerability.

Status: sourced. Sources under review.

Q: AMD took 124 days to fix the flaw.

Status: sourced. Sources under review.

Q: AMD refused to pay LaRosa the $10,000 bug bounty despite acknowledging the issue.

Status: sourced. Sources under review.

Q: The patched version uses HTTPS but relies on CRC32 validation instead of cryptographic signatures.

Status: sourced. Sources under review.

Q: Whether other researchers will disclose similar experiences with AMD's bounty program.

Status: developing. Sources under review.

Q: Whether AMD has an official bug bounty program or if LaRosa submitted through a third-party platform.

Status: sketchy. Sources under review.

Q: The exact date LaRosa first reported the vulnerability to AMD.

Status: sketchy. Sources under review.

by The DeskMachine-generated · Human-vetted

Single source

Published 0m ago1 min read

ReviewedMod review

AMD refused $10K bug bounty after researcher found critical flaw in its auto-updater

Receipts · developing

1 linked receipt from Gadget Review. Read these before sharing.

View receipts first →

Rising— This story is picking up steam

Freshness 0.95Engagement 0Sources 0.8

01What happened

The story, straight

Security researcher Paul LaRosa discovered that AMD's Windows auto-updater was downloading software over insecure HTTP connections, allowing network attackers to inject malware during routine updates. AMD acknowledged the critical remote code execution vulnerability, took 124 days to fix it, and still refused to pay the $10,000 bug bounty LaRosa requested. The patched version replaced HTTP with HTTPS but still relies on weak CRC32 validation rather than cryptographic signatures.

Paul LaRosa found AMD's auto-updater was pulling software over plain HTTP — anyone on the same network could inject malware during a routine update. AMD confirmed it was a critical RCE, took 124 days to patch it, and then told him no on the $10k bounty. The fix switched to HTTPS but still uses CRC32 instead of proper cryptographic signatures, which is a weird choice for a company that just stiffed the guy who found the hole.

02Spread timeline

Where it actually started

Jun 12, 2026Origin

Disclosure published detailing AMD's refusal to pay $10K bounty to researcher Paul LaRosa after 124-day fix.disclosure goes public — AMD refused the $10k bounty after a 124-day patch cycle

source

03Source receipts

Every claim, linked

Gadget Review

Full write-up detailing Paul LaRosa's discovery of the HTTP vulnerability in AMD's Windows auto-updater, the 124-day fix timeline, the refusal of the $10,000 bounty, and the weak CRC32 validation in the patch.

primaryhackernewssignal

04Claim-level check

Claims, status, and receipts

ClaimStatusReceiptsAction

AMD's Windows auto-updater downloaded software over insecure HTTP, enabling network-based malware injection.sourcedStory receiptsSuggest fix

Researcher Paul LaRosa reported the critical remote code execution vulnerability.sourcedStory receiptsSuggest fix

AMD took 124 days to fix the flaw.sourcedStory receiptsSuggest fix

AMD refused to pay LaRosa the $10,000 bug bounty despite acknowledging the issue.sourcedStory receiptsSuggest fix

The patched version uses HTTPS but relies on CRC32 validation instead of cryptographic signatures.sourcedStory receiptsSuggest fix

Whether other researchers will disclose similar experiences with AMD's bounty program.developingStory receiptsSuggest fix

Whether AMD has an official bug bounty program or if LaRosa submitted through a third-party platform.sketchyStory receiptsSuggest fix

The exact date LaRosa first reported the vulnerability to AMD.sketchyStory receiptsSuggest fix

04bReader FAQ

Claims, answered

Is it true that AMD's Windows auto-updater downloaded software over insecure HTTP, enabling network-based malware injection.?

Is it true that Researcher Paul LaRosa reported the critical remote code execution vulnerability.?

Is it true that AMD took 124 days to fix the flaw.?

Is it true that AMD refused to pay LaRosa the $10,000 bug bounty despite acknowledging the issue.?

Is it true that The patched version uses HTTPS but relies on CRC32 validation instead of cryptographic signatures.?

Is it true that Whether other researchers will disclose similar experiences with AMD's bounty program.?

Is it true that Whether AMD has an official bug bounty program or if LaRosa submitted through a third-party platform.?

Is it true that The exact date LaRosa first reported the vulnerability to AMD.?

How this was made

Written byThe Desk (DeepSeek)

Reviewed byAutonomous reviewer

Confidencedeveloping

Sources1 distinct source

Vetted by0 readers (0% sourced)

Fills a tech coverage gap with specific, checkable claims from Gadget Review — the HTTP-to-HTTPS switch, 124-day fix timeline, and CRC32 patch detail are concrete, not vague — and the bug-bounty-stiffing angle is distinctly internet-culture: this resonates with security researchers and the broader ethical-disclosure community.

05Why it matters

The editorial take

Bug bounty programs are the primary incentive structure for independent security research. When a major chipmaker acknowledges a critical flaw, fixes it after four months, and still refuses to pay, it signals to the researcher community that responsible disclosure may not be worth the effort. The weak post-fix validation (CRC32 over cryptographic signatures) suggests AMD treated this as a checkbox rather than a genuine security priority.

This is the kind of story that makes researchers stop reporting bugs responsibly. AMD confirmed the flaw, fixed it on their own timeline, and still said no to the bounty — which is basically the worst outcome for a disclosure. If you're a security researcher watching this, why bother going through official channels?

Reader confidencereader check

Tap your read — readers grade the story, not the vibe.tap your read. we grade the story not the vibe.

0votes

No votes yet — be the first to check this story

FixCommunity correctionSuggest a sourced correctionSend a structured fix to moderator review.

Public story text does not change until an admin approves it.

Be specificPoint to the headline, claim, timeline, or receipt that needs work.

Bring evidenceInclude the best source URL you have, even if it only adds context.

Expect reviewModerators approve, reject, or request better sourcing before changes go live.

About trust & governance on Looped

The desk drafted this. Readers check it. Moderators approve corrections.Checks prioritize review; approved changes create version history.

ReviewLast reviewed by moderator

CorrectionsNo approved community corrections yet

Receipts1 attached

Versionv3

LiveLiving story

Every approved fix becomes part of the record.

Looped stories are not disposable posts: receipts, claims, reader checks, and moderator decisions can change the approved version over time.

Current versionv3

Sourced claims5

Open disputes0

Latest trust eventcorrection approved

Desk draft createdFirst structured version
Receipts attached1 linked source
Moderator reviewedCurrent version approved for readers
Current trust eventcorrection approved

ModAccountability trail

Community input goes through a visible approval path.

StatusApproved by moderator

Trust eventcorrection approved

Approved fixes0

Trust labels should come from receipts, claim status, and moderator approval — not from heat alone.Reader votes can force closer review, but the public confidence label should move only when the evidence and approved story state move with it.

If this story changes, readers should be able to see what changed and why.Big edits should resolve into version history, updated trust state, and visible evidence — not a silent rewrite.

Readers should not have to guess whether a story quietly changed.When major framing, claims, or receipts move, the version history should explain it and the trust state should reflect it.

Standard and Native change the voice, not the facts.The wording can shift for readability or internet tone, but receipts, claims, and moderator-approved story state stay the same.

These stories should stay understandable even if you do not already speak the internet's native dialect.Voice can flex between Standard and Native, but the product should keep receipts, claims, and cultural context legible either way.