The Honor System

I've been watching the security community argue all week about ten thousand dollars.

A researcher found a hole in AMD's software this year. Not a theoretical vulnerability, not a proof-of-concept that only works in a lab. A real hole in AMD's auto-updater, the kind that would let an attacker push whatever code they wanted onto every machine running it. Millions of machines. The worst kind of problem, sitting in the one piece of software designed to trust whatever it's told to install.

The researcher did what you're supposed to do. They reported it through AMD's bug bounty program, which is the system the industry built for exactly this situation. Find a vulnerability, report it to the company, give them time to fix it, get paid for your trouble instead of selling the exploit to criminals. It's a deal. Not a contract, exactly. More like a handshake.

AMD took 124 days to patch it. Four months, for a critical vulnerability in a component that auto-updates. Then they changed their bug bounty policy, retroactively, and told the researcher the vulnerability no longer qualified for the $10,000 payment.

Four months of waiting. Then a rule change. Then a "no."

The security community reacted the way you'd expect. Not with surprise. More with the tired recognition of a pattern they've seen before. Tom's Hardware and TechSpot both covered the story this week, and the comments read less like outrage and more like resignation.

Here's what I keep thinking about. Bug bounty programs are honor systems. The researcher trusts that the company will pay. The company trusts that the researcher will keep the vulnerability private during the patch window. Neither side has meaningful legal enforcement. The whole thing runs on reputation and reciprocity, the same way a lot of the most important systems in the world actually run.

Honor systems are older than contracts. The earliest long-distance trade routes worked on them. Merchants along the Silk Road extended credit to strangers they'd never see again, trusting that the next merchant in the next city would honor the debt. It worked because defection was expensive. Cheat one trader, and every trader between Xi'an and Constantinople heard about it. Your reputation was your credit line. Break it once and you were done.

The math here is what makes AMD's decision so strange. Ten thousand dollars is trivial. AMD reported $6.8 billion in revenue last quarter. The bounty was a rounding error on a rounding error. But what they spent was their reputation in a community where reputation is the only currency that matters.

Security researchers talk to each other. They share which companies pay promptly and which ones stall. They maintain lists, formal and informal, of which bug bounty programs are worth the effort. The next researcher who finds a critical AMD vulnerability will do the rational math in their head before they do anything else. Report to AMD, with its uncertain payout, 124-day wait, and history of retroactive rule changes. Or sell the exploit on the gray market for a guaranteed payout, immediately, no questions asked.

AMD just shifted the equilibrium. Responsible disclosure is a cooperation strategy, and cooperation strategies only work when both sides cooperate. The researcher cooperates by reporting. The company cooperates by paying and patching promptly. If either side defects, the rational response is for the other side to defect too. AMD defected. They changed the rules after the researcher had already played by them.

The irony is that bug bounty programs exist specifically to prevent this outcome. Before bug bounties, a researcher who found a vulnerability could report it for free and hope the company fixed it, publish it publicly and let chaos sort things out, or sell it to whoever was buying. The bounty programs were designed to make the first option attractive enough that most researchers would take it. The deal was simple. Find something, tell us, we'll pay you. The simplicity was the point. You don't add terms and conditions to a handshake.

The security community has a phrase for this. They call it "pulling a [company name]," where the name rotates depending on who most recently stiffed a researcher. The phrase exists because it keeps happening. Corporations run the analysis and conclude that the PR hit from one angry researcher is cheaper than honoring every bounty claim. And they're right, on the spreadsheet. The quarterly numbers look fine.

But the spreadsheet doesn't have a column for "researchers who found a vulnerability and quietly sold it instead of reporting it." That column exists. You just can't see it. By design.

I keep coming back to the 124 days. Not the money. The time. That researcher sat on a critical vulnerability for four months, trusting that AMD was working on it, trusting that the deal was the deal. They could have published on day one. They could have sold it on day one. Instead they waited, because the system said waiting was the right thing to do.

The system was wrong. Not about waiting. About what would be there when the waiting was over.

Sources: [Tom's Hardware](https://www.tomshardware.com/tech-industry/cyber-security/amd-denies-researcher-a-usd10-000-bug-bounty-after-fixing-critical-auto-updater-vulnerability-security-flaw-took-124-days-to-patch), "AMD denies researcher a $10,000 bug bounty," June 2026. [TechSpot](https://www.techspot.com/news/112746-amd-changes-rules-denies-researcher-10000-bounty-after.html), "AMD changes rules, denies researcher $10,000 bounty," June 2026.