Amazon
The world's largest e-commerce and cloud computing company, operating AWS, Prime, Alexa, and a massive marketplace ecosystem.
https://amazon.comMax Reward
$25,000
Total Paid
$8,500,000
Resolved
534
Avg Response
4 days
In-Scope Assets
amazon.com
E-commerce platform, checkout, and payment flows
AWS Console
AWS management console and IAM
Alexa Services
Voice assistant APIs and skills platform
Prime Video
Streaming platform and DRM systems
Out of Scope
- ✕ Third-party seller content
- ✕ Twitch (separate program)
- ✕ Physical warehouse systems
Severity Levels & Rewards
RCE, authentication bypass, privilege escalation, fund extraction
Stored XSS, CSRF with impact, API abuse, data manipulation
Reflected XSS, data leakage, logic flaws, information disclosure
Verbose errors, minor config issues, low-impact info disclosure
Active Bounties (2)
| ID | Title | Severity | Status | Reward | Submissions |
|---|---|---|---|---|---|
| AMZN-001 | SSRF via image processing in product review uploads | High | Open | $5,000–$15,000 | 1 |
| AMZN-002 | Price manipulation via race condition in checkout API | Critical | In Review | $10,000–$25,000 | 2 |
Rules of Engagement
• Do not access, modify, or delete data belonging to other users.
• Do not perform denial-of-service attacks or automated scanning at high volume.
• Report vulnerabilities promptly and provide sufficient detail to reproduce.
• Allow reasonable time for fix before public disclosure (90 days).
• Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.