You find a real, exploitable bug. You report it the way you are supposed to, and then you wait.
It comes back closed: out of scope. No payout. A few weeks later the vendor ships the fix you handed them, your name in the credits and nothing in your account.
If you have hunted for any length of time, you know this feeling. It feels personal. It almost never is.
What decided it was a clause written long before you showed up. This week, one researcher’s version of that story went public.
What happened to one researcher
A researcher who blogs as MrBruh found a critical bug in AMD’s Windows auto-updater, used by Ryzen Master and other tools. It downloaded updates over plain HTTP, with no signature check.
Anyone on the same network could swap the real download for malware, and the machine would run it. That is remote code execution through a trusted update path. A real, serious finding.
AMD’s bounty platform closed it as out of scope: man-in-the-middle attacks are excluded, and the affected tool is optional.
Then his write-up gained traction on Hacker News . Within a day, AMD’s security team re-engaged, issued a CVE, shipped a fix, and credited him. They still declined to pay, citing that same scope.
What was left was a fight over time. He asked for the standard 90-day disclosure; AMD wanted longer, and the full write-up only went public 124 days after he reported it.
Notice what reopened the report. Not the program, but the public attention. A reputation-funded process responds to reputation pressure, not to the quality of your bug.
The clause decides, not your bug
I spent years selling security tools, on the side of the table where these programs get budgeted. The outcome that leaves you unpaid is rarely about how good your finding was.
A bug bounty program is not really a security control. It is a budget with a legal firewall around it, and the scope document is that firewall.
Every mature program publishes what it will not pay for: man-in-the-middle, social engineering, self-XSS, anything needing physical access. None of it is written against you personally. It exists to keep a fixed pool of money from meeting an unbounded supply of clever submissions.
So the clause is rational for the program. It is also the reason a real, exploitable bug can be acknowledged, fixed, credited, and still pay nothing. Both are true at once, which is why these disputes never resolve cleanly.
And the deal is getting worse
The math behind your payout is tightening. Last month Linus Torvalds said AI-powered bug hunters had made the Linux security mailing list “almost entirely unmanageable.”
The supply of plausible-looking reports just went vertical. The budget to triage and pay them did not.
When intake explodes and the pool stays fixed, programs get defensive: stricter scope, harder rejections, slower payouts. The careful researcher submitting real work absorbs the cost of a flood they did not create.
Go in clear-eyed
None of this means stop hunting. It means reading the scope as a payment contract before you spend the weekend, not after you submit.
If your finding lives inside an exclusion, you are doing unpaid disclosure as a favor. That can be a fair choice, as long as you make it on purpose and not by surprise.
Your real leverage is timing. Agree the disclosure window before you hand over the details, because that is when a program is most willing to be fair.
The deal did not change
A program reopening one report under public pressure does not change the system. The scope clause still decides, the budget is still a firewall, and the next hard case will land the same way.
If you have had a real bug closed as out of scope, reply and tell me which clause did it. I will feature the sharpest stories next week, anonymized if you want.
See you next Tuesday.
Sources
- MrBruh โ The RCE that AMD wouldn’t fix (the researcher’s own write-up, June 2026)
- Hacker News โ discussion thread on MrBruh’s report (where it gained traction)
- AMD โ Product security bulletin AMD-SB-9027 (vendor confirmation of the CVE and fix)
- The Register โ Linus Torvalds says AI-powered bug hunters have made the Linux security mailing list ‘almost entirely unmanageable’ (May 18, 2026)
AppSec Santa Weekly โ an ex-vendor’s notes on how the security-tools business actually works. Browse all tools or subscribe for weekly updates.