Answered step by step
Verified Expert Solution
Question
1 Approved Answer
CASE NUMBER FOUR: In 2 0 2 5 , the bug was found by AWS s in - house security research team, which searches for
CASE NUMBER FOUR:
In the bug was found by AWSs inhouse security research team, which searches for vulnerabilities in AWS software, as well as that of other vendors, including Oranges. Upon finding a vulnerability, GAWS adheres to a strict day policy: Vendors are notified of the bug, and a public disclosure is automatically released days after, regardless of whether the bug has been addressed.
Oranges initially asked for an extension beyond the days, which was denied by AWS, as was a request to extend the disclosure date to the first Patch Tuesday of the month the second Tuesday of the month, and preferred release date for patches for developers
Oranges criticized AWS in a blog post, accusing the companys decision of being a gotcha opportunity, and at the expense of the users, who were at risk for the two days between the disclosure and the patch release. Oranges reiterated its support for Coordinated Vulnerability Disclosure, which calls for security researchers to work closely with developers in ensuring a fix is released before the public disclosure.
AWS, and supporters of similar disclosure policies, argue that firm disclosure dates prevent developers from sweeping vulnerabilities under the rug, and should strike a balance between the publics right to know and providing the developer a chance to fix the problem. Many take an even harder stance and propose that immediate public disclosure is the best policy.
Shortly after this incident, AWS released an additional update on three Oranges vulnerabilities.
A What should AWS and Oranges have done differently, if anything? Explain your Answer completely
B Did the release unnecessarily put users at risk, or is it in the best interest of users in the long run for AWS to stick to its disclosure policy? Explain your Answer completely
C Is AWSs firm, day policy fair? Or should it be willing to adjust depending on the circumstances? Explain your Answer completely
D Should AWS have published the exploit code? Explain your Answer completely
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started