AWS VDP
External Program
Submit bugs directly to this organization
AWS VDP
Program guidelines
Welcome to the AWS VDP! We are excited to collaborate with you! -AWS Security Outreach Team
Closed ScopeOnly accepts reports based on the listed scope. [https://docs.hackerone.com/en/articles/8490833-security-page#h_46a5b35ded](
)
Managed by HackerOne
19 hours Average time to first response
2 weeks, 6 days Average time to triage
1 month, 1 week Average time to resolution
Core Ineligible Findings are out of scope. [https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings](Learn more
)Category Exclusion details
Last updated on July 24, 2025. [/aws_vdp/policy_versions](View changes
)
Amazon Web Services is committed to collaborating with the security community to identify and address vulnerabilities, ensuring the safety of our businesses and customers. We deeply value your contributions and take all security reports with utmost seriousness. If you would like to report a concern with Amazon Retail and Devices, please visit Amazon's Public Bug Bounty Program https://hackerone.com/amazonvrp.
This page outlines our practices for investigating and resolving potential vulnerabilities within our cloud services. Thank you for helping us maintain a secure environment.
Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud, offering over 200 fully featured services from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, become more agile, and innovate faster.
Questions about getting started with AWS services? [https://aws.amazon.com/contact-us/sales-support-wi/](Connect with an expert »)
AWS requests that researcher's follow HackerOne's [https://www.hackerone.com/disclosure-guidelines](disclosure guidelines) and once the report has been submitted, AWS will work to validate the reported vulnerability. If additional information is required to validate or reproduce the issue, AWS will work with you to obtain it. When the initial investigation is complete, results will be delivered to you along with a plan for resolution and discussion of public disclosure.
A few things to note about the AWS process:
Third-Party Products: Many vendors offer products within the AWS cloud. If the vulnerability is found to affect a third-party product, AWS will notify the owner of the affected technology. AWS will continue to coordinate between you and the third party. Your identity will not be disclosed to the third party without your permission.
Confirmation of Non-Vulnerabilities: If the issue cannot be validated, or is not found to originate in an AWS product, this will be shared with you.
Vulnerability Classification: AWS uses version 3.1 of the Common Vulnerability Scoring System (CVSS) to evaluate potential vulnerabilities. The resulting score helps quantify the severity of the issue and to prioritize our response. For more information on CVSS, please reference the [https://nvd.nist.gov/vuln-metrics/cvss](NVD site).
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged and we will request additional information.
Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
When conducting scanning campaigns targeting AWS resources, please consolidate all related findings into a single report. Submitting a high volume of individual reports for similar findings in quick succession can lead to a deduction in points. Repeated failure to follow this guideline can result in disqualification from the program.
AWS S3 related submissions to this program are limited to vulnerabilities specifically impacting the Amazon S3 service itself. Any other security concerns or issues related to the Amazon S3 service are out of the scope of the VDP and should be reported directly to the AWS security team at their dedicated inbox: mailto:[email protected]. Please ensure that all non-S3-related reports are directed accordingly.
If applicable, AWS will coordinate public notification of any validated vulnerability with you. Where possible, we prefer that our respective public disclosures be posted simultaneously.
In order to protect our customers, AWS requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability, and informed customers if needed. Also, we respectfully ask that you do not post or share any data belonging to our customers. Addressing a valid reported vulnerability will take time, and the timeline will depend upon the severity of the vulnerability and the affected systems.
AWS makes public notifications in the form of [https://aws.amazon.com/security/security-bulletins/](Security Bulletins), which are posted in the AWS Security website. Individuals, companies, and security teams typically post their advisories on their own websites and in other forums and when relevant, we will include links to those third-party resources in AWS Security Bulletins.
When reporting potential vulnerabilities, please consider (1) realistic attack scenarios and (2) the security impact of the behavior. The following activities are out of scope for the AWS Vulnerability Reporting Program. Conducting any of the activities below will result in disqualification from the program permanently.
Theoretical vulnerabilities requiring unlikely user interaction or circumstances:
Vulnerabilities only affecting users of unsupported or End-of-life browsers or operating systems.
Broken link hijacking.
Tabnabbing.
Content spoofing and text injection issues.
Attacks requiring physical access to a device (without prior written authorization).
Self-exploitation, such as self-XSS or self-DoS (unless it can be used to attack a different account).
Theoretical vulnerabilities without real-world security impact:
Clickjacking on pages with no sensitive actions.
Cross-Site Request Forgery (CSRF) on forms with no sensitive actions (e.g., Logout).
Permissive CORS configurations without demonstrated security impact.
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application, or server errors).
Comma Separated Values (CSV) injection.
Open redirects (unless you can demonstrate additional security impact).
Optional security hardening steps / Missing best practices:
SSL/TLS Configurations.
Lack of SSL Pinning.
Lack of jailbreak detection in mobile apps.
Cookie handling (e.g., missing HttpOnly/Secure flags).
Content-Security-Policy configuration opinions.
Optional email security features (e.g., SPF/DKIM/DMARC configurations).
Most issues related to rate limiting.
Vulnerabilities requiring hazardous testing (must not be attempted unless explicitly pre-authorized):
Issues relating to excessive traffic/requests (e.g., DoS, DDoS).
Any other issues where testing may affect the availability of systems.
Social engineering of AWS employees, contractors, vendors, or service providers. (e.g., phishing, opening support requests).
Attacks that are noisy to users or admins (e.g., spamming notifications or forms).
Physical attacks against AWS employees, offices, and data centers.
Targeting assets of AWS customers or non-AWS sites hosted on our infrastructure.
Any vulnerability obtained through the compromise of AWS customer or employee accounts.
Knowingly posting, transmitting, uploading, linking to, or sending malware.
Pursuing vulnerabilities which send unsolicited bulk messages (spam).
This section defines the requirements necessary to issue a security advisory (e.g. CVE, GHSA).
The [https://www.cve.org/PartnerInformation/ListofPartners/partner/AMZN](Amazon CNA) will issue CVEs that support customers in addressing valid security vulnerabilities within the following classes:
AWS Services delivered by AWS and publicly available to customers. (e.g. Amazon EC2, Amazon RDS).
Amazon Services delivered by Amazon and publicly available to customers. (e.g. Amazon[.]com Seller API Service).
Open-source software within a GitHub organization managed by Amazon or AWS.
Client software published by Amazon or AWS and available for download from a website or download location owned and operated by us (e.g. Amazon Appstore SDK, Amazon Input SDK, Amazon Kindle App, Amazon MShop App, Amazon WorkSpaces client).
Devices manufactured by Amazon or AWS and available to customers for purchase and use (e.g. Amazon Fire TV, Amazon Echo devices, Amazon Kindle, AWS Outpost).
Additionally, all of the requirements below must be met:
Customer Impacting: The issue must exist within an Amazon or AWS-owned class which is publicly available to customers; AND
Customer Agency: Remediation of supported or EOL/EOS product issues requires customer action, including making a risk-based decision on handling the remediation (OR customers need to assess possible impact) OR when a valid security vulnerability will become public (OR has the potential of becoming public); AND
CVSS score: 4.0 (MEDIUM) or higher.
Services, software, or hardware issues that are deemed not a vulnerability include but are not limited to:
Non-default configuration or changes made using valid credentials that were correctly authorized
Targeting assets of Amazon or AWS customers (or non-AWS sites hosted on AWS infrastructure)
Any vulnerability obtained through the compromise of Amazon or AWS customer or employee accounts
Any Denial of Service (DoS) attack against Amazon or AWS products (or Amazon or AWS customers)
Physical attacks against Amazon or AWS employees, offices, and data centers
Social engineering of Amazon or AWS employees, contractors, vendors, or service providers
Knowingly posting, transmitting, uploading, linking to, or sending malware
Pursuing vulnerabilities which send unsolicited bulk messages (spam)
All vulnerability research must be conducted in good faith. This means:
You will follow this policy, and any other relevant agreements you have with us
Your research must consist exclusively of good faith testing, investigation, or correction of a security flaw, with the primary goal of promoting the safety of the class of devices, machines, or online services to which any accessed computers belong
You will not violate AWS customers’ security and privacy, and will not harm individuals or the public
Your research will proceed only as far as necessary to demonstrate or clarify the security issue, and no further
If a vulnerability provides unintended access to data, you will limit the amount of data you access to the minimum required for effectively demonstrating a proof of concept. Stop the research and submit a report immediately if you encounter any user data during testing, such as personal information, financial information, or proprietary information
You will report the findings of your research to us within 72 hours of determining a potential security concern via our Vulnerability Disclosure Program on HackerOne (https://hackerone.com/aws_vdp) or by emailing mailto:[email protected] [https://aws.amazon.com/security/aws-pgp-public-key/]((PGP Key)).
You will provide us with a reasonable amount of time to resolve the issue before you disclose it publicly
You may only interact with accounts you own or with explicit written permission from AWS or the account owner
No stunt hacking
No extortion or harassment
We consider Good Faith Security Research to be authorized activity that is protected from adversarial legal action by us. This means that, for activity conducted while this program is active, we:
Will not bring legal action against you or report you for Good Faith Security Research, including for bypassing technological measures we use to protect the applications in scope; and,
Will take steps to make known that you conducted Good Faith Security Research if someone else brings legal action against you.
Note that for the purposes of safe harbor, AWS does NOT waive a right to pursue remedies against security research activities targeting other AWS customers’ resources, operations, or end users, including but not limited to:
unauthorized cross-customer environment access
manipulation, monitoring/collection
spoofing
social engineering, including but not limited to phishing
impersonating AWS, AWS employees, AWS services, or AWS products
impersonating AWS or customer marketplace offerings (eg. AMIs, container images, templates, models, etc)
impersonating any other company, their employees, services, products or offerings
provisioning resources to mimic AWS infrastructure or AWS customer resources
Denial of Service, Distributed Denial of Service, simulated DoS, simulated DDoS
port, protocol, or request flooding
any type of brute forcing
IP or Resource cycling/churning
DNS hijacking, Pharming, or zone walking via Amazon Route 53
stunt hacking
An explicit authorization or permission granted by any single AWS customer for the purposes of their continuous vulnerability scanning, penetration testing, security configuration validation, or vulnerability rewards program (VRP) cannot exceed the bounds of the specific customers’ accounts and resources and does NOT grant authorization for abusive activities via any AWS service.
Individuals or companies conducting security research are strongly encouraged to contact AWS Security (via HackerOne (https://hackerone.com/aws_vdp) or by emailing mailto:[email protected] [https://aws.amazon.com/security/aws-pgp-public-key/]((PGP Key))) to review their planned methodology and seek guidance or operational support prior to any activities. Security research that is not conducted in good faith may subject your AWS account(s) to active response measures, such as offending resource isolation, account suspension, resource / account termination, legal remedies, or relevant law enforcement referral.
Keep in mind that we are not able to authorize security research on third-party infrastructure, and a third party is not bound by this safe harbor statement.
AWS is committed to being responsive and keeping you informed of our progress. You will receive a non-automated response confirming receipt of your initial report within 24 hours, timely updates, and monthly check-ins throughout the engagement. You may request updates at any time, and we welcome dialogue that clarifies any concern or disclosure coordination.
At AWS, we’re committed to maintaining a secure and compliant Vulnerability Disclosure Program while adhering to global regulations. Please review these important guidelines:
Participation is subject to compliance with applicable sanctions and trade regulations in conformity with the AWS Customer Agreement https://aws.amazon.com/agreement/#:~:text=11.6%20Trade%20Compliance,applicable%20government%20authority .
Non-monetary Rewards such as merch store credits and physical swag cannot be issued to individuals in sanctioned countries/regions.
Participants are responsible for compliance with local tax laws and regulations.
[/aws_vdp/thanks](See all hackers
)
1
/nick_frichette_dd?type=userReputation: 224
2
/aviv_keller?type=userReputation: 133
3
/jcow?type=userReputation: 77
4
/iann0036?type=userReputation: 63
5
/sh3d0w?type=userReputation: 49
6
/0xdevsec?type=userReputation: 42
7
/dvtuan?type=userReputation: 42
8
/0utc4st?type=userReputation: 37
9
/philts?type=userReputation: 35
10
/wunderwuzzi23?type=userReputation: 35
11
/milankatwal99?type=userReputation: 35
12
/jordin19?type=userReputation: 35
AWS VDP
https://aws.amazon.com/https://x.com/amazon Amazon Web Services (AWS) is a secure cloud services platform, offering compute power and other functionality to help businesses scale and grow. Vulnerability Disclosure Program launched in Sep 2024
Response efficiency: 65%
[/aws_vdp/reports/new?type=team&report_type=vulnerability](
Submit report
)
Reports received | 90 days | 213 | Last report resolved | 8 hours ago | Reports resolved | 298 | Hackers thanked | 179 | Assets In Scope | 558 |
© HackerOne