AMD Denied $10K Bounty After CVE-2026-40677 Fix

by ddos · June 16, 2026

AMD bug bounty dispute, AMD update utility vulnerability, MrBruh AMD, AMD MITM vulnerability

Sometimes finding a vulnerability proves far easier than extracting an honest response from the vendor. That is precisely the experience of security researcher MrBruh, who uncovered a serious flaw in AMD software and ultimately walked away without the bounty he had been promised.

A Popup That Led to a Vulnerability

Everything began with an irritating update popup from an AMD utility on a new gaming computer. While examining the program’s code, MrBruh made a telling discovery. Although the update manifest was fetched over encrypted HTTPS, the actual executable files were downloaded over unencrypted HTTP. Worse, the utility performed no certificate or signature verification before executing those files.

This opened the door to a classic man-in-the-middle attack. Any adversary positioned within the same network, or capable of intercepting the connection, could silently replace a legitimate update file with a malicious one. Since the utility runs with elevated privileges, the outcome would be arbitrary code execution on the victim’s machine. The vulnerability was assigned the identifier CVE-2026-40677 and scored 7.7 under the CVSS 4.0 scale. MrBruh published his full technical findings in his original blog post, and the write-up quickly gained traction when it appeared on Hacker News.

The Bug Bounty That Never Arrived

MrBruh reported the issue to AMD on February 6 through the company’s bug bounty program. AMD closed the submission as ineligible, arguing that the attack scenario required traffic interception and affected optional tooling. The promised $10,000 payout never materialized.

Following AMD’s rejection, the researcher published his findings publicly. Once the post gained momentum on Hacker News, AMD asked MrBruh to take it down, citing a violation of program terms. However, as Gamers Nexus subsequently reported in their video investigation, AMD had actually amended the program’s rules after MrBruh’s disclosure, retroactively adding a clause that prohibited public disclosure even for reports deemed ineligible. In other words, the researcher was accused of breaking rules that did not exist at the time he disclosed the vulnerability.

Patch Arrives 124 Days Later, Still Without Payment

The vulnerability was eventually fixed 124 days after its discovery, but naturally without any compensation to the researcher. The corrected versions are AMD Ryzen Master 2.14.3, AMD ÂµProf 5.3, and AMD Management Console 14.0.0. AMD stated that all updates now travel over HTTPS and undergo signature verification. The official security advisory is documented in AMD’s security bulletin AMD-SB-9027.

MrBruh reviewed the patch and found reason for further concern. Rather than implementing cryptographic signing, AMD’s solution relies solely on a CRC32 checksum, which provides no meaningful protection against deliberate file substitution. He also identified a separate redirect flaw that could prevent the utility from updating itself correctly. The researcher recommends uninstalling AMD software entirely and downloading the latest versions manually from AMD’s official website.

A Reputational Setback That Saved Nothing

What began as a straightforward technical problem evolved into a reputational failure of AMD’s own making. The company may have saved $10,000 in the short term. However, in the longer view, it has done something far more costly: discouraged security researchers from investing their time and expertise in AMD’s ecosystem. The entire point of a bug bounty program is to reward that effort. When researchers cannot trust that their work will be recognized and compensated, the program loses the very people it was designed to attract.