3 Principles for Modern VDPs: How AWS Keeps Vulnerability Disclosure Working at Massive Scale

Being the world’s most trusted cloud means building security into its foundation and recognizing that vulnerability disclosure is a mission-critical trust system.

Albin Vattakattu oversees one of the most modern and effective vulnerability disclosure programs of enterprises today at Amazon Web Services (AWS). He has thought deeply about what it takes to make external security research a genuine force multiplier at cloud scale. The lessons he’s drawn aren’t just relevant to AWS, they’re a model for any organization looking to evolve their program as the security landscape grows more complex.

As context: across the HackerOne platform, valid vulnerability reports have grown by 20% since 2021. That volume isn’t slowing down. If anything, AI is accelerating discovery on both the offensive and defensive sides of the equation. The latest Hacker-Powered Security Report found a 210% increase in valid AI-related vulnerability reports since 2024. Every organization running a disclosure program today needs to think about how it scales, and how it keeps pace.

Albin’s approach is built around three principles.

#1: Design for Scale from Day One

The most effective disclosure programs treat vulnerability intake as a distributed system, not a linear queue. At enterprise scale, the traditional model (submit – triage – route – fix) creates bottlenecks. This leads to slower time to remediation and more exposure.

The right answer isn’t working harder; it’s designing for scale.

“You can’t scale through people alone.” Albin says. “The real leverage is in the system.”

This means investing in infrastructure that scales with the environment: automated intake, routing, and enrichment that gets reports to the right teams without manual handoffs at every step. AI plays a meaningful role here. It accelerates categorization, service attribution, and trend analysis, while higher-stakes decisions remain accountable to humans. Building that foundation early is what makes growth manageable.

#2: Optimize for Time-to-Context

Speed matters, but speed without context doesn’t help engineering teams act. The metric that actually drives remediation isn’t how fast a report gets triaged — it’s how fast a validated, actionable finding reaches the right person with enough information to move immediately.

Albin calls this “time-to-context,” and it’s the principle AWS optimizes around. Reports are enriched at intake: severity, affected services, and business impact are established before a finding ever reaches an engineering team.

That upfront investment compresses the gap between submission and action, reduces decision latency, and increases confidence in remediation.

Image

When validation is the bottleneck, solving for context is what unlocks scale.

#3: Eliminate Vulnerability Classes, Not Just Individual Bugs

The highest-leverage thing a disclosure program can do is turn a single finding into a systemic improvement. For every validated report, AWS asks: Does this issue exist elsewhere? Is it tied to a shared dependency? Does it represent a pattern?

“Don’t just look at that one vulnerability as an isolated incident, look across your infrastructure,” Albin said. “Does it exist in other places?” 

By identifying and eliminating classes of vulnerabilities across services, AWS reduces repeat exposure and strengthens systemic resilience. “The real value comes from eliminating classes of problems,” he said.

This is the shift from reactive bug handling to continuous risk reduction.

From Intake Channel to Continuous Risk System

AWS runs Vulnerability Disclosure on the HackerOne platform, connecting with a global community of security researchers through a structured, trusted process.

At scale, what matters is turning the right reports into validated, actionable work quickly and consistently. That requires clear workflows, efficient coordination, and the ability to deliver context to the right teams without friction. When those pieces are in place, a vulnerability disclosure program stops being a reporting inbox and starts functioning as a continuous risk reduction system: validating fast, prioritizing effectively, and eliminating root causes at the source.

That's what modern exposure management looks like. A model worth building toward.

Modernize your VDP with HackerOne

^{Hacker-Powered Security Report 2025: The Rise of the Bionic Hacker}

^{Survey methodology: HackerOne and UserEvidence surveyed 99 HackerOne customer representatives between June and August 2025. Respondents represented organizations across industries and maturity levels, including 6% from Fortune 500 companies, 43% from large enterprises, and 31% in executive or senior management roles. In parallel, HackerOne conducted a researcher survey of 1,825 active HackerOne researchers, fielded between July and August 2025. Findings were supplemented with HackerOne platform data from July 1, 2024 to June 30, 2025, covering all active customer programs. Payload analysis: HackerOne also analyzed over 45,000 payload signatures from 23,579 redacted vulnerability reports submitted during the same period.}