Table of Contents
Overview
In an attempt to bring stronger transparency to our customers, we are opening up a security Bug Bounty.
Scope and Reporting
This is a black box test against our production environment. In order to have your vulnerability verified, you will need to send the report to [email protected]. Please make sure the subject is clear that this is a bug bounty request (e.g., Bug Bounty: XSS found in site). All findings MUST include:
- Repeatable, programmatic ways for the internal team to replicate and validate
- Vulnerability title, summary, and walkthrough
- All reports in English
In Scope
Ensure that you adhere to Amazon’s Penetration Testing Policy.
Not in Scope
- Denial of Service (DoS/DDoS) style of attacks. If you believe you may have a DoS-related vulnerability then email [email protected] and we will work with internal testing or give you a specific time frame to test.
- Social Engineering style of attacks. This includes anything that would require another user to be coerced into navigating to or interacting with an “attack”. Examples include:
- Phishing
- Web Site Spoofing
- Link Manipulation. (e.g., changing an “l” to a “1” in a url to deceive a user)
- Brute force style attacks. This primarily focuses on gaining access to user’s accounts.
- Accessing another user’s data by any means. If you need to test an exploit that will interact with another user then set up a second user account for testing or reach out to [email protected] if you need specific testing requirements.
Payouts
We do not solely focus on severity ratings (e.g., CVSS) for a vulnerability. We focus on business impact of the vulnerability. Findings are rewarded on a first come basis. We break this down into three (3) payout categories where each category has a max payout.
Critical Max Payout: $10k