CASE NUMBER FOUR:

In $2025,$ the bug was found by AWS$$s in$-$house security research team, which searches for vulnerabilities in AWS software, as well as that of other vendors, including Oranges. Upon finding a vulnerability, GAWS adheres to a strict $90-$day policy: Vendors are notified of the bug, and a public disclosure is automatically released $90$ days after, regardless of whether the bug has been addressed.

Oranges initially asked for an extension beyond the $90$ days, which was denied by AWS, as was a request to extend the disclosure date to the first $$Patch Tuesday$$ of the month $($the second Tuesday of the month, and preferred release date for patches for developers$).$

Oranges criticized AWS in a blog post, accusing the company$$s decision of being a $$gotcha$$ opportunity, and at the expense of the users, who were at risk for the two days between the disclosure and the patch release. Oranges reiterated its support for $$Coordinated Vulnerability Disclosure,$$ which calls for security researchers to work closely with developers in ensuring a fix is released before the public disclosure.

AWS, and supporters of similar disclosure policies, argue that firm disclosure dates prevent developers from sweeping vulnerabilities under the rug, and should strike a balance between the public$$s right to know and providing the developer a chance to fix the problem. Many take an even harder stance and propose that immediate public disclosure is the best policy.

Shortly after this incident, AWS released an additional update on three Oranges vulnerabilities.

A$.$ What should AWS and Oranges have done differently, if anything? Explain your Answer completely

B$.$ Did the release unnecessarily put users at risk, or is it in the best interest of users in the long run for AWS to stick to its disclosure policy? Explain your Answer completely

C$.$ Is AWS$$s firm, $90-$day policy fair? Or should it be willing to adjust depending on the circumstances? Explain your Answer completely

D$.$ Should AWS have published the exploit code? Explain your Answer completely