Vulnerability Reporting

• Amazon Web Services (AWS): If you would like to report a vulnerability or have a security concern regarding AWS cloud services or open source projects, please submit the information by contacting aws-security@amazon.com. If you wish to protect the contents of your submission, you may use our PGP key.
• Amazon.com (Retail): If you have a security concern with Amazon.com (Retail), Seller Central, Amazon Payments, or other related issues such as suspicious orders, invalid credit card charges, suspicious emails, or vulnerability reporting, please visit our Security for Retail webpage.
• AWS Customer Support Policy for Penetration Testing: AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for listed services. Requesting Authorization for Other Simulated Events should be submitted via the Simulated Events form. For customers operating in the AWS China (Ningxia & Beijing) Region, please use this Simulated Events form.
• AWS Abuse: If you suspect that AWS resources (such as an EC2 instance or S3 bucket) are being used for suspicious activity, you can report it to the AWS Abuse Team using the Report Amazon AWS abuse form, or by contacting abuse@amazonaws.com.
• AWS Compliance Information: Access to AWS compliance reports are available via AWS Artifact. If you have additional AWS Compliance-related questions, please contact them via their intake form.

So that we may more effectively respond to your report, please provide any supporting material (proof-of-concept code, tool output, etc.) that would be useful in helping us understand the nature and severity of the vulnerability.

The information you share with AWS as part of this process is kept confidential within AWS. AWS will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, AWS will only share this information as permitted by you.

AWS will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.

The following activities are out of scope for the AWS Vulnerability Reporting Program. Conducting any of the activities below will result in disqualification from the program permanently.

• Targeting assets of AWS customers or non-AWS sites hosted on our infrastructure
• Any vulnerability obtained through the compromise of AWS customer or employee accounts
• Any Denial of Service (DoS) attack against AWS products or AWS customers
• Physical attacks against AWS employees, offices, and data centers
• Social engineering of AWS employees, contractors, vendors, or service providers
• Knowingly posting, transmitting, uploading, linking to, or sending malware
• Pursuing vulnerabilities which send unsolicited bulk messages (spam)

AWS is committed to being responsive and keeping you informed of our progress. You will receive a non-automated response confirming receipt of your initial report within 24 hours, timely updates, and monthly check-ins throughout the engagement. You may request updates at any time, and we welcome dialogue that clarifies any concern or disclosure coordination.

If applicable, AWS will coordinate public notification of any validated vulnerability with you. Where possible, we prefer that our respective public disclosures be posted simultaneously.

In order to protect our customers, AWS requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability, and informed customers if needed. Also, we respectfully ask that you do not post or share any data belonging to our customers. Addressing a valid reported vulnerability will take time, and the timeline will depend upon the severity of the vulnerability and the affected systems.

AWS makes public notifications in the form of Security Bulletins, which are posted in the AWS Security website. Individuals, companies, and security teams typically post their advisories on their own websites and in other forums and when relevant, we will include links to those third-party resources in AWS Security Bulletins.  

AWS believes that security research performed in good faith should be provided safe harbor. For the purposes of safe harbor for security research and reporting vulnerabilities, AWS Security has adopted core terms of disclose.io, specifically “Safe Harbor” and “Our Expectations.” We look forward to working with security researchers who share our passion for protecting AWS customers.

Accordingly, we consider security research conducted under this policy to be:

• Aurhorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
• Aurhorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
• Exempt from restrictions in our Terms of Service and/or Acceptable Usage Policy that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
• Lawfully, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our previously mentioned channels under “Reporting Suspected Vulnerabilities” before going any further.

Note that the safe harbor applies only to legal claims under the control of the organization participating in this policy, and that this policy does not bind independent third parties.

In participating in our vulnerability disclosure program in good faith, we ask that you:

• Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
• Report any vulnerability you’ve discovered promptly;
• Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
• Use only the previously mentioned channels to discuss vulnerability information with us;
• Provide us a reasonable amount of time from the initial report to resolve the issue before you disclose it publicly;
• Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
• If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a proof-of-concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
• Only interact with test accounts you own or with explicit permission from the account holder; and
• Do not engage in extortion.