A vulnerability disclosure program should be part of any company's promise to its customers. The owner of a product must have a strategy to accept input from the security community regarding that product. In May 2019, the AWS Security team received a report regarding the AmazonSageMakerFullAccess managed security policy. This session covers the vulnerability disclosure process and includes a discussion of how AWS processed that report.