Amazon Devices and Services Bug Bounty Program Overview

Safeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Fire branded devices and tablets, Echo, Kindle, Blink, Alexa, and Luna Gaming devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.

Amazon Devices and Services Bug Bounty Program Process

In order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. To be considered for a reward, you must comply with all parts of this policy, including the following requirements -

• Adherence to our Responsible Research and Disclosure Policy and other legal obligations.
• Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.
• Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.
• Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.
• You must be available to provide additional information if needed by us to reproduce and investigate your report.
• You must abide by the HackerOne’s Finder Terms and Conditions

Please note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.

Restrictions

To be eligible for the program, you must not:

• Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.
• Be employed by Amazon or any subsidiaries of Amazon.
• Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.

Additional Rules of Engagement

• Do not test Contact Us based functionality.
• Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo. Our concern in using 3rd party infrastructure is around exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.
  • Not using a version hosted yourself, will result in complete forfeiture of any reward.
• DOS/DDOS is out of scope on web properties

Bypass Reports

If you find a bypass of a previous report you’ve created, or we ask that you create a new report due to the content being different enough, please fill out the Custom Field Bypass Reference with the original ID of the finding. This has no bearing on reward, it just helps Amazon with secondary data tracking.

Creating Accounts for Vulnerability Research

Please create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using [email protected]

Also, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to Proxy >> Options >> Match and Replace with the following options: Type: Request header Match: ^User-Agent.*$ Replace: User-Agent: amazonvrpresearcher_yourh1username

Devices and Services Bug Bounty Program Scope

In Scope Devices This program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.

• The Bug Bounty program covers all Amazon-branded or manufactured devices sold by Amazon or an authorized retailer, including all Fire devices and tablets, Echo, Kindle, Blink, Alexa, and Luna Gaming devices that are running the latest available software.

Software Update Reference

• FireTV Software Versions
• Fire Tablet Software Version
• Echo Software Versions
• Kindle E-Reader Software Versions
• Blink Software Versions
• Luna Controller Software Versions

In Scope Services & Apps In Scope Mobile Application Packages:

==(Note: Reports on outdated version/builds are out of scope)==

In Scope Web Applications Domains:

Vulnerability Severity Ratings

The severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.

The Severity mentions below are a guideline, and not definitive. There may be situations where compensating controls or complexity of a finding increases or decreases severity.

Reports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.

Severity Rating for Devices Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.

Critical Critical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.

High High vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.

Medium Medium vulnerabilities may allow a local attacker to cause temporary device failure requiring a factory reset with local access vector. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.

Low Low vulnerabilities that may not pose a direct security impact to customer or the device such as parental control bypasses.

GenAI Details and Assessment Considerations

• For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:
  • Timestamp
  • IP
  • Consumed Content | Prompt String
  • Security Impact

Please note that any reports related to the prompt response content are out of scope where there is no clear application security impact and the potential issue is about responsible AI usage. We will not reward on these reports and close them as informative unless there is direct application security impact on the in-scope GenAI applications. Few examples for these out-of-scope reports are generation of inappropriate text/visual content with the model, get inappropriate suggestions from the model, malicious code generation. Any issues which are result of model hallucinations are out scope as well.

IMPORTANT NOTE: DO NOT submit generated sensitive images such as sexually explicit images, extremely graphic or violent images, or Child Sex Abuse Material (CSAM) in reports. Amazon Bug Bounty will not review this material or reward it, and your account may be banned.

LLM/GenAI Vulnerabilities

Service & Apps Vulnerability Severity Ratings Use following table to determine the severity ratings for web and mobile app vulnerabilities.

Out-of-Scope Issues

• Bitflipping, Bitsquatting
• Discovering and testing against AWS customer assets
• Model Hallucinations
• Content moderation issues, solicitation
• Security Practices where other mitigating controls exist i.e. missing security headers, etc.
• Social Engineering, Phishing
• Physical Attacks
• Missing Cookie Flags
• CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.
• Content Spoofing
• Stack Traces, Path Disclosure, Directory Listings
• SSL/TLS controls where other mitigating controls exist
• Banner Grabbing
• CSV Injection
• Reflected File Download
• Reports on Out of dated browsers
• Reports on outdated version/builds of in-scope Mobile Apps
• DOS/DDOS
• Host header Injection without a demonstrable impact
• Scanner Outputs
• Vulnerabilities on Third-Party Products
• Auth User Enumeration
• Password Complexity
• HTTP Trace Method

Operational Security Issues

The goal of this program is to improve the security of our services for Customers. We do not reward, but will accept “Operational Security” (OpSec) submissions. OpSec issues include leaked employee passwords, password dumps, leaked business documents, etc. These submissions will only receive reputation points.

Responsible Research and Disclosure Policy

By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. We require that you -

• Do not access or collect any customer data.
• Do not exploit security vulnerabilities for any other purposes than for testing.
• Must not publicly disclose any information regarding the reported issue without written consent from Amazon
• In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted.

While it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.

Safe Harbor

Amazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy. As long as you comply with this policy:

• We consider your security research to be "authorized" under the Computer Fraud and Abuse Act.
• We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.

Amazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology. Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc. To protect your privacy, we will not, unless served with legal process or to address a violation of this policy:

• Share your PII with third parties.
• Share your research without your permission.
• Share your HackerOne points, or participation without your permission.