A Critical Flaw AMD Said Was Not Their Problem

A researcher found a critical flaw on an AMD website. AMD called it "out of scope" and refused to pay a bounty.

A security researcher discovered a severe Remote Code Execution (RCE) vulnerability on an official AMD subdomain. The flaw was not in an AMD product but in an outdated version of vBulletin, a third-party forum software powering the company's community site. RCEs are among the most serious security risks, as they can allow an attacker to run their own code on a target server. The researcher responsibly disclosed the issue through AMD's bug bounty program on HackerOne, expecting a reward and a swift fix for the high-impact finding.

Instead of a reward, AMD’s security team closed the report as "Informative" and "Out of Scope." Their reasoning was that the bug bounty program only covers AMD-developed products, not third-party applications running on their infrastructure. While AMD did eventually take the vulnerable website offline, the company did not pay a bounty or formally acknowledge the report's severity. This response has sparked a debate about corporate responsibility for the security of an entire digital footprint. For security teams, it’s a reminder that attackers do not care about internal policies; a vulnerability on a trusted domain is a threat that can be used for phishing or spreading malware, regardless of its source.

The incident serves as a case study on the potential pitfalls of narrowly defined bug bounty programs. When scopes are too rigid, companies risk demotivating researchers from reporting valid threats on their attack surface. It highlights the critical need for organizations to have a clear policy for handling all vulnerability disclosures, not just those that fit neatly into a bounty structure. For businesses, this underscores the importance of continuously auditing all assets, including third-party software, and fostering a positive relationship with the security research community.

Highlights the risks of narrowly-scoped bug bounty programs and the importance of securing all company web assets, including those running third-party software. An RCE on a trusted domain is a major threat, regardless of its origin.

This incident can damage a company's reputation with the security research community, potentially discouraging future disclosures. It also underscores the legal and brand risk of vulnerabilities on any official domain, which can be exploited for phishing or malware distribution, eroding customer trust.