- AMD told a security researcher on June 12 that a critical‑severity vulnerability it had identified would not be eligible for the $10,000 bounty it was promised.
- The researcher disclosed a bug that allowed unauthenticated attackers to execute arbitrary code via the GPU driver’s memory‑management unit. AMD later announced that its bug‑bounty program now requires flaws to be reported through a specific channel and within a 30‑day window, applying the rule to all past submissions.
- The change matters because it narrows the financial incentive for independent security work and signals a stricter stance on disclosure timing. Companies that shift rules after the fact risk alienating the very researchers who help keep their products safe.
- In short, AMD’s retroactive policy tweak protects its bottom line but may undermine trust in its vulnerability‑reward ecosystem.