When One Vulnerability Cascades Across Cloud Infrastructure
Albin Vattakattu, Ryan Nolette
fwd:cloudsec North America 2026 · Day 1
This talk, "When One Vulnerability Cascades Across Cloud Infrastructure," by Albin Vattakattu and Ryan Nolette from AWS, provides an unparalleled behind-the-scenes look into how a major cloud provider handles zero-day vulnerabilities, particularly those stemming from third-party dependencies. It delves into the intricate, multi-team choreography required to identify, assess, remediate, and disclose such critical issues, not just within AWS's vast infrastructure but also across a global ecosystem of impacted organizations and their customers. The speakers highlight the escalating challenges posed by the exponential growth of vulnerability reports, driven in part by AI discovery tools, and propose a modern framework for **Vulnerability Disclosure Programs (VDPs)** designed for scale and efficiency.
AI review
A candid, data-backed operational deep-dive from the people actually running disclosure at hyperscale — rare for a vendor talk at a cloud security conference. The 200% report volume increase, 31% valid-report rate, and the 50-service blast-radius case study are the kind of concrete numbers that practitioners can actually use to benchmark and justify their own programs. Not groundbreaking research, but substantive process transparency that most AWS-sized organizations would never put on a public stage.