tl;dr: A researcher found that AMD's AutoUpdate tool downloads executables over HTTP without signature verification, enabling trivial MITM RCE attacks. AMD initially dismissed it as out-of-scope for their bounty program, then asked him to take down his blog and demanded an embargo far exceeding the 90-day industry standard—ultimately taking 124 days to fix by changing HTTP to HTTPS. The patch claims signature verification, but it's actually just a CRC-32 check, and the updater was already broken anyway due to an unrelated unhandled redirect.