The flaw of not using HTTPS for the downloads is so basic it’s shocking they didn’t have internal tooling to raise this before it was shipped. I’m not familiar with AMD’s bug bounty policy but they should have at least paid $1337 to the researcher for raising this to them.