Audible
Bounty Range
$200 - $12,000
external program
Audible
Program guidelines
Closed ScopeOnly accepts reports based on the listed scope. [https://docs.hackerone.com/en/articles/8490833-security-page#h_46a5b35ded](
)
Fast PaymentEnsures payment within 1 month of receiving a vulnerability report. [https://docs.hackerone.com/en/articles/8490833-security-page#h_9c1fc6b7c0](
)
Top Response EfficiencyThis program's response efficiency is above 90%. [https://docs.hackerone.com/en/articles/8490880-response-target-indicators](
)
Managed by HackerOneCollaboration EnabledIncludes Retesting
13 hours Average time to first response
1 day, 2 hours Average time to triage
2 weeks, 3 days Average time to bounty
2 weeks, 4 days Average time from submission to bounty
1 month, 4 days Average time to resolution
Last updated on November 12, 2025. [/audible/bounty_table_versions](View changes
)
Each severity lists the 90-day average bounty and the percentage of total resolved reports, if applicable.
Low
Medium
High
Critical
Low
Medium
High
Critical
$200
$600
$2,000–$6,000
$12,000–$25,000
Our rewards are based on the severity of a vulnerability. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of Amazon. Issues may receive a lower severity due to the presence of compensating controls and context. The amounts shown in the table should be considered the MAXIMUM amounts for each severity level, though bonuses may be given at Amazon's discretion.
SEVERITY | Amount (in USD) | Critical | $12,000 - $25,000 | High | $2,000 - $6,000 | Medium | $400 - $600 | Low | $200 | Biz Accepted Risk or Informational | $0 |
Core Ineligible Findings are out of scope. [https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings](Learn more
)Category Exclusion details
This program has not committed to the following Platform Standards. As such the report severity or outcome may differ.
Last updated on August 16, 2025. [/audible/policy_versions](View changes
)
Audible exists to unleash the power of the spoken word and to take the digital audio book download business into the mainstream. We work to change the way individuals control the what, when, where, and how of the words they hear, and to establish literate listening as a core tool for anyone who wants to be more productive, more well-informed, or more thoughtfully entertained.
Audible appreciates your participation in this program and looks forward to your findings.
For security issues related to Amazon Web Services (AWS), please submit reports via the [https://hackerone.com/aws_vdp](AWS Vulnerability Disclosure Program). For security issues related to Amazon Devices, please submit reports via [https://hackerone.com/amazonvrp-devices](Amazon Vulnerability Research Program - Devices page). For security issues related to Ring, please submit reports via [https://hackerone.com/ring](the Ring Bug Bounty page) For security issues related to eero, please submit reports via [https://hackerone.com/eero](the eero Bug Bounty page)
Audible customers and security researchers who discover a potential security finding within Audible products or services can report it to Audible. Amazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from receiving a reward.
You must be 18 or older to be eligible for an award.
Security researchers and customers of Audible are encouraged to report any behavior impacting the information security posture of Audible Android Application.
If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people's accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the issue but not take further action with the other account or its data.
Document your findings thoroughly, providing steps to reproduce and send your report to us.
Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.
We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.
We will work with the affected teams to validate the report.
We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.
We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.
We will work with the affected teams to make necessary improvements and remediation
To protect your privacy, we will not, unless served with legal process or to address a violation of this policy:
Share your PII with third parties
Share your HackerOne points
Participation status
Web
Mobile
If a researcher is not able to demonstrate impact on bounty eligible assets then that finding will not be considered for rewards. If assets/IPs are not associated to in-scope domains please refrain from testing them as part of the Audible Program.
Reports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.
Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.
Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.
Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.
Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.
For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.
Valid Example: A XSS issue that can be escalated with a separate CSRF issue.
Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.
Invalid Example: Finding disclosed credentials and using them to pivot.
Amazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.
Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.
Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon in serving Customers.
Do not compromise or test Amazon accounts that are not your own
If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith
Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks
Do not perform any testing against assets that directly involve Amazon Employees in communication
This can include support chats, even ones appearing to be automated, or Contact Us areas.
Do not perform physical attacks again any Amazon facility
Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.
Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.
Make sure to use the User-Agent string audibleresearcher_yourh1username while testing
Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.
Please note, use of scanning tools without the User-agent string audibleresearcher_yourh1username may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.
Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo. Our concern in using 3rd party infrastructure is around exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over. **Not using a version hosted yourself, will result in complete forfeiture of any reward. **
For unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [https://www.amazon.com/gp/help/customer/contact-us/](Customer Service).
For Amazon Web Services (AWS) related issues, please report via [https://aws.amazon.com/security/vulnerability-reporting/](click here).
To report Copyright Infringement related issues, please report via [https://www.amazon.com/gp/help/reports/infringement](click here).
If you find a bypass of a previous report you’ve created, or we ask that you create a new report due to the content being different enough, please fill out the Custom Field Bypass Reference with the original ID of the finding. This has no bearing on reward, it just helps Amazon with secondary data tracking.
Please create accounts using your HackerOne email to help us track security research activity. You can create accounts on Amazon by using mailto:%[email protected]%5D(mailto:[email protected])
Also, while testing is it required add the string audibleresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rules in Burp by going to Proxy >> Options >> Match and Replace with the following options: Type: Request header Match: ^User-Agent.$ ** Replace: User-Agent: audibleresearcher_yourh1username
Reference HackerOne guidance on writing quality reports:
Thank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.
Amazon commits to timely remediation of your findings, and prompt response to relevant questions.
Domains
help.audible.com
newsletters.audible.com
Issues
Bitflipping, Bitsquatting
Security Practices where other mitigating controls exist i.e. missing security headers, etc.
Social Engineering, Phishing
Physical Attacks
Missing Cookie Flags
CSRF with minimal impact i.e. Login CSRF, Logout CSRF etc.
Content Spoofing
Stack Traces, Path Disclosure, Directory Listings
SSL/TLS controls where other mitigating controls exist
Banner Grabbing
CSV Injection
Reflected File Download
Reports on Out of dated browsers
Reports on outdated version/builds of in-scope Mobile Apps
DOS/DDOS
Host header Injection without a demonstrable impact
Scanner Outputs
Vulnerabilities on Third Party Products
User Enumeration
Password Complexity
HTTP Trace Method
The goal of this program is to improve the security of our services for Customers. We do not reward, but will accept “Operational Security” (OpSec) submissions. OpSec issues include leaked employee passwords, leaked business documents, etc. These submissions will only receive reputation points.
Issues with Certificate Pinning
Issues with shared preference folders on Mobile
Issues with hardcoded api keys
Issues with DRM
The below specific findings will not be accepted
Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceiver
Lack of obfuscation
Absence of certificate pinning
Lack of jailbreak detection
| Vulnerability | Severity Range | 1 | Remote Code Execution | Critical | 2 | SQL Injection | High - Critical | 3 | XXE | High - Critical | 4 | XSS | High - Critical | 5 | Server-Side Request Forgery | Medium - Critical | 6 | Directory Traversal - Local File Inclusion | Medium - High | 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High | 8 | Privilege Escalation | Medium - High | 9 | Insecure Direct Object Reference | Medium - High | 10 | Misconfiguration | Low - High | 11 | Web Cache Deception | Low - Medium | 12 | CORS Misconfiguration | Low - Medium | 13 | CRLF Injection | Low - Medium | 14 | Cross Site Request Forgery | Low - Medium | 15 | Open Redirect | Low - Medium | 16 | Information Disclosure | Low - Medium | 17 | Request Smuggling | Low – Medium | 18 | Mixed Content | Low |
Please note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.
Amazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.
As long as you comply with this policy: We consider your security research to be "authorized" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.
Amazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.
[/audible/thanks](See all hackers
)
1
/zseano?type=userReputation: 177
2
/jonathanbouman?type=userReputation: 177
3
/avishai?type=userReputation: 158
4
/todayisnew?type=userReputation: 147
5
/shaikhyaser?type=userReputation: 134
6
/akqr?type=userReputation: 88
7
/thaivu?type=userReputation: 88
8
/zere?type=userReputation: 71
9
/comwrg?type=userReputation: 64
10
/hacktus?type=userReputation: 57
11
/hakupiku?type=userReputation: 57
12
/youstin?type=userReputation: 51
Audible
http://audible.comhttps://x.com/audible_com Audible is an American online audiobook and podcast service that allows users to purchase and stream audiobooks and other forms of spoken word contentBug Bounty Program launched in Apr 2025
Response efficiency: 98%
[/audible/reports/new?type=team&report_type=vulnerability](
Submit without Report Assistant
)
Severity
Rewards
Severity
Rewards
Low
$200
Medium
$600
High
$2,000–$6,000
Critical
$12,000–$25,000
Total bounties paid | $126,000 | Average bounty range | $400 - $600 | Top bounty range | $4,000 - $12,000 | Bounties paid | 90 days | $1,600 | Reports received | 90 days | 63 | Last report resolved | 2 months ago | Reports resolved | 65 | Hackers thanked | 67 | Assets In Scope | 4 |
© HackerOne