The flaw of not using HTTPS for the downloads is so basic it’s shocking they didn’t have internal tooling to raise this before it was shipped. I’m not familiar with AMD’s bug bounty policy but they should have at least paid $1337 to the researcher for raising this to them.
$10k is nothing to AMD. The middle-management bean counters making these decisions are actively harming their company’s (and user’s security.
The flaw of not using HTTPS for the downloads is so basic it’s shocking they didn’t have internal tooling to raise this before it was shipped. I’m not familiar with AMD’s bug bounty policy but they should have at least paid $1337 to the researcher for raising this to them.