Address potential vulnerabilities in any aspect of our cloud services Amazon Web Services takes security very seriously, and investigates all reported vulnerabilities. This page describes our practice for addressing potential vulnerabilities in any aspect of our cloud services.
Amazon Web Services (AWS): If you would like to report a vulnerability or have a security concern regarding AWS cloud services or open source projects, please submit the information by contacting aws-security@amazon.com. If you wish to protect the contents of your submission, you may use our PGP key.
AWS Customer Support Policy for Penetration Testing: AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for listed services. Requesting Authorization for Other Simulated Events should be submitted via the Simulated Events form. For customers operating in the AWS China (Ningxia & Beijing) Region, please use this Simulated Events form.
So that we may more effectively respond to your report, please provide any supporting material (proof-of-concept code, tool output, etc.) that would be useful in helping us understand the nature and severity of the vulnerability.
The information you share with AWS as part of this process is kept confidential within AWS. AWS will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, AWS will only share this information as permitted by you.
AWS will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.
AWS is committed to being responsive and keeping you informed of our progress as we investigate and / or mitigate your reported security concern. You will receive a non-automated response to your initial contact within 24 hours, confirming receipt of your reported vulnerability. You will receive progress updates from AWS at least every five US working days.
If applicable, AWS will coordinate public notification of any validated vulnerability with you. Where possible, we prefer that our respective public disclosures be posted simultaneously.
In order to protect our customers, AWS requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability, and informed customers if needed. Also, we respectfully ask that you do not post or share any data belonging to our customers. Addressing a valid reported vulnerability will take time, and the timeline will depend upon the severity of the vulnerability and the affected systems.
AWS makes public notifications in the form of Security Bulletins, which are posted in the AWS Security website. Individuals, companies, and security teams typically post their advisories on their own websites and in other forums and when relevant, we will include links to those third-party resources in AWS Security Bulletins.
AWS believes that security research performed in good-faith should be provided safe-harbor. We have adopted Disclose.io’s Core Terms, subject to the conditions below, and we look forward to working with security researchers who share our passion for protecting AWS customers.
The following activities are out of scope for the AWS Vulnerability Reporting Program. Conducting any of the activities below will result in disqualification from the program permanently.
Once the report has been submitted, AWS will work to validate the reported vulnerability. If additional information is required to validate or reproduce the issue, AWS will work with you to obtain it. When the initial investigation is complete, results will be delivered to you along with a plan for resolution and discussion of public disclosure.
A few things to note about the AWS process:
Have Questions? Connect with an AWS Business Representative Contact Us Exploring security roles? Apply today » Want AWS Security updates? Follow us on Twitter »
Scope Type | Scope Name |
---|---|
web_application | *.amazon.* |
This program crawled on the 2015-06-30 is sorted as cvd.
FireBounty © 2015-2024