The RCE that AMD wouldn't fix
Points and comments are a snapshot, not live.
AMD delayed patching an RCE vulnerability in its AutoUpdate software for 124 days after initially dismissing it as out of scope.
A researcher discovered that AMD's AutoUpdate tool downloads executables over HTTP without signature verification, enabling man-in-the-middle attacks. AMD's third-party bounty platform rejected the report because MITM attacks were out of scope. After the researcher published details, AMD's internal PSIRT team reversed course and agreed to fix it. However, AMD delayed 124 days while requesting the researcher keep the blog offline. The final patch removed the auto-updater from the installer and moved it to the application with HTTPS, though AMD's claim of signature verification proved false (only CRC-32 checksums were added). An unrelated redirection bug rendered the original vulnerability unexploitable anyway. The researcher received no bounty payment but security credit and a CVE.
What commenters are saying
Top commenters note that AMD distinguished between denying the bounty (in-scope policy) versus denying the vulnerability itself (later acknowledged). One thread debates whether MITM exclusions are reasonable: several argue HTTP-based update vectors without cryptographic verification deserve priority regardless of threat model assumptions, while others note bug bounties exist for engineering prioritization, not comprehensive security. A commenter points out the original exploit may have been dead on arrival due to the redirect bug. Critics highlight the gap between AMD's public acceptance of vulnerabilities (implicit in running a bounty program) and their actual remediation timeline and honesty about fixes.