Paul LaRosa exposed a critical flaw in AMD’s Windows auto‑updater that let attackers inject malware over plain HTTP. The vulnerability enabled remote code execution through a trusted update channel used by Ryzen Master and other utilities. AMD’s response stretched to 124 days before issuing a patch.

AMD cited policy exclusions for man‑in‑the‑middle attacks to deny the $10,000 bounty that LaRosa had earned. Instead, the company requested delays, stretching the standard 90‑day disclosure window. The patch replaced HTTP with HTTPS but left CRC32 checksums, a weak validation method, in place.

The 124‑day delay contrasts sharply with best practices that call for patching critical bugs within days. Security researchers argue that a quick fix and a fair bounty reward would have mitigated risk earlier. AMD’s approach highlights a broader industry trend of prioritizing budget over swift remediation.

After the fix, AMD replaced HTTP with HTTPS but retained CRC32 checksums, a weak cryptographic method. Users of Ryzen Master and related tools now face a patch that corrects the transport layer but leaves deeper validation gaps. The incident underscores the need for secure update pipelines and transparent bounty policies that protect end users and prevent future exploits in the auto‑update mechanism.