It has been 3 years since I reported a problem in one of their services and they still haven't found anyone who seems to even be able to understand the problem.
If it’s been 3 years since you reported a vulnerability, they’ve done nothing, and you can confirm the vulnerability still exists, you should tell the public about it since you’ve done your part as far as responsible disclosure is concerned—the public should know.
I don't get this responsible disclosure. Responsible to whom exactly? It takes leverage from security researchers who have risked their valuable time. Now the companies with lax security can dictate their pay, if any, through bounties while threatening them not to discuss their findings. It's corrupt
When you don’t give companies a chance to fix a vulnerability that could have serious consequences for users, you’re effectively putting the users in harm’s way by disclosing it to the public. Bad actors will take advantage of that information very quickly. Nothing good comes out of that.
Whether you like the company or not, remember that the users have no idea they’re at risk.
It's not a vulnerability as such. It does retain data between two executions however that it shouldn't but we're in control of both executions so that doesn't really classify as a vulnerability.
Basically something is stateful that shouldn't be, probably because it's built on Lambda.
You mean they’ve been able to fool you for three years by only allowing to you to talk to people who won’t understand, thereby tricking you into not going public with the problem, so they don’t have to make any effort whatsoever to understand the problem, let alone fixing it.
Even worse. We're a big enterprise customer. I've spoken to the people who actually architected and built the feature and they don't even understand the problem properly.
Not sure I'm really surprised. As far as I know, AWS hasn't been the fastest in resolving issues. I just remember the "S3 Bucket - We Charge You For Unauthorized Requests" issue a few months ago
