Amazon Vulnerability Research Program
At Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.
For vulnerabilities related to Amazon Web Services (AWS), please visit the AWS Vulnerability Reporting page.
Amazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team.
Amazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.
Amazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).
Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services.
If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.
Document your findings thoroughly, providing steps to reproduce and send your report to us.
Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.
We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.
We will work with the affected teams to validate the report.
We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.
We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.
We will work with the affected teams to make necessary improvements and remediation.
Qualified researchers who will regularly submit high quality findings can be added to Amazon Private Program (invited researchers only).
Bounty eligible findings are limited to following marketplaces and mobile apps:
(Note: Please check Scopes section for complete details on latest in-scope assets)
All international retail marketplaces
Brazil: amazon.com.br
Canada: amazon.ca
Mexico: amazon.com.mx
United States: amazon.com
China: amazon.cn
India: amazon.in
Japan: amazon.co.jp
Singapore: amazon.sg
Turkey: amazon.com.tr
United Arab Emirates: amazon.ae
France: amazon.fr
Germany: amazon.de
Italy: amazon.it
Netherlands: amazon.nl
Spain: amazon.es
Sweden: amazon.se
United Kingdom: amazon.co.uk
Australia: amazon.com.au
Android and iOS Retail Apps (MShop)
Android: com.amazon.mShop.android.shopping
iOS: amazon-shopping-297606951
Security issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/).
You are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.
Reports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.
Provide details of the vulnerability finding, including information needed to reproduce and validate the report
Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services
Do not attempt to perform brute-force attacks, denial-of-service attacks
Do not compromise or test Amazon accounts that are not your own
Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks
This applies even if it appears to be an automated chat system.
Do not perform physical attacks against any Amazon facility
Do not threaten or try to extort Amazon. Do not act in bad faith and make ransom requests. You should simply report the vulnerability to us.
Please make sure to use the User-Agent string amazonvrpresearcher_yourh1username while testing
Except as applied to CVE-2021-44228, limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service. Use of automated scanners/tools for CVE-2021-44228 testing is prohibited.
Please note, use of scanning tools without the User-agent string amazonvrpresearcher_yourh1username may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.
If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.
NOTE: Please do not use 3rd party sites when doing testing (for instance, <yourdomains>@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!
For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact Customer Service.
For Amazon Web Services (AWS) related issues, please report via click here.
To report Copyright Infringement related issues, please report via click here.
Please create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using <yourh1username@wearehackerone.com>
Also, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to Proxy >> Options >> Match and Replace with the following options:
Type: Request header
Match: ^User-Agent.*$
Replace: User-Agent: amazonvrpresearcher_yourh1username
Amazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.
As long as you comply with this policy:
We consider your security research to be "authorized" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.
We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.
Amazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.
Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.
To protect your privacy, we will not, unless served with legal process or to address a violation of this policy:
Share your PII with third parties
Share your research without your permission
Share your HackerOne points, or participation without your permission
Follow on-screen instructions when you log in into your Amazon account for recovery
Be prepared with a recent card statement available to prove ownership
The account will typically be restored within 24 hours
Reference HackerOne guidance on writing quality reports:
https://docs.hackerone.com/hackers/quality-reports.html
https://www.hacker101.com/sessions/good_reports
Thank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.
Amazon commits to timely remediation of your findings, and prompt response to relevant questions.
| | Vulnerability | Severity Range |
|---------- |------------ |-------- |
| 1 | Remote Code Execution | Critical |
| 2 | SQL Injection | High - Critical |
| 3 | XXE | High - Critical |
| 4 | XSS | Medium - High |
| 5 | Server-Side Request Forgery | Low - Critical |
| 6 | Directory Traversal - Local File Inclusion | Medium - High |
| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High |
| 8 | Privilege Escalation | Medium - High |
| 9 | Insecure Direct Object Reference | Medium - Critical |
| 10 | Misconfiguration | Low - High |
| 11 | Web Cache Deception | Low - Medium |
| 12 | CORS Misconfiguration | Low - Medium |
| 13| CRLF Injection | Low - Medium |
| 14 | Cross Site Request Forgery | Low - Medium |
| 15 | Open Redirect | Low - Medium |
| 16 | Information Disclosure | Low - Medium |
| 17 | Request smuggling | Low – Medium |
| 18 | Mixed Content | Low |
| | Vulnerability |
|---------- |------------ |
| 1 | Subdomain Takeover |
| 2 | Clickjacking |
| 3 | Self XSS |
| 4 | Email Spoofing - SPF Records Misconfiguration |
Security Practices where other mitigating controls exist i.e. missing security headers, etc.
Social Engineering, Phishing
Physical Attacks
Missing Cookie Flags
CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.
Content Spoofing
Stack Traces, Path Disclosure, Directory Listings
SSL/TLS controls where other mitigating controls exist
Banner Grabbing
CSV Injection
Reflected File Download
Reports on Out of dated browsers
Reports on outdated version/builds of in-scope Mobile Apps
DOS/DDOS
Host header Injection without a demonstrable impact
Scanner Outputs
Vulnerabilities on Third-Party Products
User Enumeration
Password Complexity
HTTP Trace Method
Discovering and testing against AWS customer assets
| Category| Asset |
|------------|----------------------------- |
| Physical Stores | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical Stores will be out-of-scope |
|AWS | All AWS related services and products will be out-of-scope - See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|
| Scope Type | Scope Name |
|---|---|
| android_application | com.amazon.mShop.android.shopping |
| ios_application | 297606951 |
| other | Other Amazon Retail Sites (Please only actively test explicitly stated scope) |
| other | Other Amazon Retail Mobile Apps (Please only actively test explicitly stated scope) |
| other | Amazon Retail Subsidiaries (Please only actively test explicitly stated scope) |
| other | Other Amazon Retail Assets (Please only actively test explicitly stated scope) |
| web_application | https://smile.amazon.* |
| web_application | https://flex.amazon.* |
| web_application | https://logistics.amazon.* |
| web_application | https://org.amazon.* |
| web_application | www.amazon.* |
| web_application | https://primenow.amazon.* |
| web_application | https://pay.amazon.* |
| web_application | https://fresh.amazon.* |
| web_application | https://photos.amazon.* |
| web_application | https://prime.amazon.* |
| web_application | https://music.amazon.com |
| web_application | https://manufacturing.amazon.* |
| web_application | https://freight.amazon.* |
| web_application | https://shopbylook.amazon.* |
| web_application | chat.amazon.com |
| web_application | https://affiliate-program.amazon.com |
| web_application | https://track.amazon.com |
| web_application | https://api.amazon.com |
| web_application | https://manufacturing.amazon.com |
| web_application | https://www.amazon.com/dppui/* |
| web_application | https://www.amazon.com/gp/buy/* |
| web_application | www.amazon.com/cpe/yourpayments/wallet |
| web_application | https://www.amazon.com/amazoncash |
| web_application | apay-us.amazon.com |
| web_application | payments.amazon.* |
| Scope Type | Scope Name |
|---|---|
| web_application | https://amazongames.com/ |
| web_application | https://www.twitch.tv/ |
| web_application | https://tsologic.com/ |
| web_application | Amazon Web Services (AWS) |
This program crawled on the 2020-04-22 is sorted as bounty.
FireBounty © 2015-2024
