[{"id":3766580,"new_policy":"# Amazon Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Fire branded devices and tablets, Echo, Kindle, Blink, Alexa, and Luna Gaming devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n* You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n## Restrictions\n\nTo be eligible for the program, you must not:\n\n* Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n* Be employed by Amazon or any subsidiaries of Amazon.\n* Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n## Additional Rules of Engagement\n\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo. Our concern in using 3rd party infrastructure is around exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n   * **Not using a version hosted yourself, will result in complete forfeiture of any reward.** \n* DOS/DDOS is out of scope on web properties\n\n## Bypass Reports\n\nIf you find a bypass of a previous report you’ve created, or we ask that you create a new report due to the content being different enough, please fill out the Custom Field `Bypass Reference` with the original ID of the finding. This has no bearing on reward, it just helps Amazon with secondary data tracking.\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using [yourh1username@wearehackerone.com](mailto:yourh1username@wearehackerone.com)\n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options: \n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**\n This program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software. \n\n* The Bug Bounty program covers all Amazon-branded or manufactured devices sold by Amazon or an authorized retailer, including all Fire devices and tablets, Echo, Kindle, Blink, Alexa, and Luna Gaming devices that are running the latest available software.\n\n**Software Update Reference**\n\n* [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)\n* [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)\n* [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)\n* [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)\n* [Blink Software Versions](https://support.blinkforhome.com/en_US/security-and-app-updates/2016136)\n* [Luna Controller Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=G6F4QENEFP5Q5JRZ)\n\n**In Scope Services \u0026 Apps**\n_In Scope Mobile Application Packages:_\n\n|Name\t|Android Package Name\t|Apple iOS App ID\t|\n|---\t|---\t|---\t|\n|FreeTime\t|com.amazon.tahoe.freetime\t|1324809509\t|\n|Alexa Companion App\t|com.amazon.dee.app\t|944011620\t|\n|FireTV (Bison)\t|com.amazon.storm.lightning.client.aosp\t|947984433\t|\n|Kindle\t|com.amazon.kindle\t|302584613\t|\n|Amazon Photos\t|com.amazon.clouddrive.photos\t|621574163\t|\n|Amazon Key\t|com.amazon.cosmos\t|1291586307\t|\n|Amazon Luna\t|com.amazon.tails\t|1528364633\t|\n\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains:_\n\n|Name\t|Domain\t|\n|---\t|---\t|\n|Alexa Developer\t|[developer.amazon.com/alexa/*](http://developer.amazon.com/alexa/)\t|\n|Amazon App Store\t|[developer.amazon.com/apps-and-games/*](http://developer.amazon.com/apps-and-games/)\t|\n|Alexa Web\t|[alexa.amazon.com](http://alexa.amazon.com/)\t|\n|Skills Store\t|[skills-store.amazon.com](http://skills-store.amazon.com/)\t|\n|Kindle Cloud Reader\t|[read.amazon.com](http://read.amazon.com/)\t|\n|Kindle Publishing\t|[https://kdp.amazon.com](https://kdp.amazon.com/)\t|\n|Alexa Answers\t|[alexaanswers.amazon.com](http://alexaanswers.amazon.com/)\t|\n|Alexa BluePrints\t|[blueprints.amazon.com](http://blueprints.amazon.com/)\t|\n|Amazon FireTV App Creator\t|[creator.amazon.com](http://creator.amazon.com/)\t|\n|Device Content Manager\t|[amazon.com/hz/mycd/*](http://amazon.com/hz/mycd/)\t|\n|Amazon Photos\t|https://www.amazon.com/photos/\t|\n|Amazon Luna\t|https://luna.amazon.com/\t|\n|Alexa API\t|https://api.amazonalexa.com/\t|\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n**The Severity mentions below are a guideline, and not definitive. There may be situations where compensating controls or complexity of a finding increases or decreases severity.**\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices** \n*Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.*\n\n**Critical**\n Critical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.\n\n**High**\n High vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.\n\n**Medium**\nMedium vulnerabilities may allow a local attacker to cause temporary device failure requiring a factory reset with local access vector. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.\n\n**Low**\n Low vulnerabilities that may not pose a direct security impact to customer or the device such as parental control bypasses.\n\n## **GenAI Details and Assessment Considerations**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context: \n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String \n    * Security Impact\n\nPlease note that any reports related to the prompt response content are out of scope where there is no clear application security impact and the potential issue is about responsible AI usage. We will not reward on these reports and close them as informative unless there is direct application security impact on the in-scope GenAI applications. Few examples for these out-of-scope reports are generation of inappropriate text/visual content with the model, get inappropriate suggestions from the model, malicious code generation. Any issues which are result of model hallucinations are out scope as well.\n\n**IMPORTANT NOTE:** DO NOT submit generated sensitive images such as sexually explicit images, extremely graphic or violent images, or Child Sex Abuse Material (CSAM) in reports. Amazon Bug Bounty will not review this material or reward it, and your account may be banned.\n\n## LLM/GenAI Vulnerabilities\n\n|Potential Vulnerabilities\t|Severity\t|Comments\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and influencing factors. Please make sure to read notes above\t|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-anonymize users\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and influencing factors.\t|\n\n**Service \u0026 Apps Vulnerability Severity Ratings** \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n|Vulnerability\t|Severity Range\t|\n|---\t|---\t|\n|Remote Code Execution\t|Critical\t|\n|SQL Injection\t|High - Critical\t|\n|XXE\t|High - Critical\t|\n|XSS\t|Medium - High\t|\n|Server-Side Request Forgery\t|Low - Critical\t|\n|Directory Traversal - Local File Inclusion\t|Medium - High\t|\n|Authentication/Authorization Bypass (Broken Access Control)\t|Medium - High\t|\n|Privilege Escalation\t|Medium - High\t|\n|Insecure Direct Object Reference\t|Medium - Critical\t|\n|Misconfiguration\t|Low - High\t|\n|Web Cache Deception\t|Low - Medium\t|\n|CORS Misconfiguration\t|Low - Medium\t|\n|CRLF Injection\t|Low - Medium\t|\n|Cross Site Request Forgery\t|Low - Medium\t|\n|Open Redirect\t|Low - Medium\t|\n|Information Disclosure\t|Low - Medium\t|\n|Request smuggling\t|Low – Medium\t|\n|Mixed Content\t|Low\t|\n\n## Out-of-Scope Issues\n\n* Bitflipping, Bitsquatting\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n### Operational Security Issues\n\nThe goal of this program is to improve the security of our services for Customers. We do not reward, but will accept “Operational Security” (OpSec) submissions. OpSec issues include leaked employee passwords, password dumps, leaked business documents, etc. These submissions will only receive reputation points.\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\nWe require that you - \n\n* Do not access or collect any customer data. \n* Do not exploit security vulnerabilities for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy. \nAs long as you comply with this policy: \n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology. \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n To protect your privacy, we will not, unless served with legal process or to address a violation of this policy: \n\n* Share your PII with third parties.\n* Share your research without your permission.\n* Share your HackerOne points, or participation without your permission.\n\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-25T23:35:03.384Z"},{"id":3766577,"new_policy":"# Amazon Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Fire branded devices and tablets, Echo, Kindle, Blink, Alexa, and Luna Gaming devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n* You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n## Restrictions\n\nTo be eligible for the program, you must not:\n\n* Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n* Be employed by Amazon or any subsidiaries of Amazon.\n* Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n## Additional Rules of Engagement\n\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo. Our concern in using 3rd party infrastructure is around exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n   * **Not using a version hosted yourself, will result in complete forfeiture of any reward.** \n* DOS/DDOS is out of scope on web properties\n\n## Bypass Reports\n\nIf you find a bypass of a previous report you’ve created, or we ask that you create a new report due to the content being different enough, please fill out the Custom Field `Bypass Reference` with the original ID of the finding. This has no bearing on reward, it just helps Amazon with secondary data tracking.\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using [yourh1username@wearehackerone.com](mailto:yourh1username@wearehackerone.com)\n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options: \n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**\n This program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software. \n\n* The Bug Bounty program covers all Amazon-branded or manufactured devices sold by Amazon or an authorized retailer, including all Fire devices and tablets, Echo, Kindle, Blink, Alexa, and Luna Gaming devices that are running the latest available software.\n\n**Software Update Reference**\n\n* [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)\n* [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)\n* [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)\n* [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)\n* [Blink Software Versions](https://support.blinkforhome.com/en_US/security-and-app-updates/2016136)\n* [Luna Controller Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=G6F4QENEFP5Q5JRZ)\n\n**In Scope Services \u0026 Apps**\n_In Scope Mobile Application Packages:_\n\n|Name\t|Android Package Name\t|Apple iOS App ID\t|\n|---\t|---\t|---\t|\n|FreeTime\t|com.amazon.tahoe.freetime\t|1324809509\t|\n|Alexa Companion App\t|com.amazon.dee.app\t|944011620\t|\n|FireTV (Bison)\t|com.amazon.storm.lightning.client.aosp\t|947984433\t|\n|Kindle\t|com.amazon.kindle\t|302584613\t|\n|Amazon Photos\t|com.amazon.clouddrive.photos\t|621574163\t|\n|Amazon Key\t|com.amazon.cosmos\t|1291586307\t|\n|Amazon Luna\t|com.amazon.tails\t|1528364633\t|\n\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains:_\n\n|Name\t|Domain\t|\n|---\t|---\t|\n|Alexa Developer\t|[developer.amazon.com/alexa/*](http://developer.amazon.com/alexa/)\t|\n|Amazon App Store\t|[developer.amazon.com/apps-and-games/*](http://developer.amazon.com/apps-and-games/)\t|\n|Alexa Web\t|[alexa.amazon.com](http://alexa.amazon.com/)\t|\n|Skills Store\t|[skills-store.amazon.com](http://skills-store.amazon.com/)\t|\n|Kindle Cloud Reader\t|[read.amazon.com](http://read.amazon.com/)\t|\n|Kindle Publishing\t|[https://kdp.amazon.com](https://kdp.amazon.com/)\t|\n|Alexa Answers\t|[alexaanswers.amazon.com](http://alexaanswers.amazon.com/)\t|\n|Alexa BluePrints\t|[blueprints.amazon.com](http://blueprints.amazon.com/)\t|\n|Amazon FireTV App Creator\t|[creator.amazon.com](http://creator.amazon.com/)\t|\n|Device Content Manager\t|[amazon.com/hz/mycd/*](http://amazon.com/hz/mycd/)\t|\n|Amazon Photos\t|https://www.amazon.com/photos/\t|\n|Amazon Luna\t|https://luna.amazon.com/\t|\n|Alexa API\t|https://api.amazonalexa.com/\t|\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n**The Severity mentions below are a guideline, and not definitive. There may be situations where compensating controls or complexity of an exploit increases or decreases severity.**\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices** \n*Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.*\n\n**Critical**\n Critical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.\n\n**High**\n High vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.\n\n**Medium**\nMedium vulnerabilities may allow a local attacker to cause temporary device failure requiring a factory reset with local access vector. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.\n\n**Low**\n Low vulnerabilities that may not pose a direct security impact to customer or the device such as parental control bypasses.\n\n## **GenAI Details and Assessment Considerations**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context: \n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String \n    * Security Impact\n\nPlease note that any reports related to the prompt response content are out of scope where there is no clear application security impact and the potential issue is about responsible AI usage. We will not reward on these reports and close them as informative unless there is direct application security impact on the in-scope GenAI applications. Few examples for these out-of-scope reports are generation of inappropriate text/visual content with the model, get inappropriate suggestions from the model, malicious code generation. Any issues which are result of model hallucinations are out scope as well.\n\n**IMPORTANT NOTE:** DO NOT submit generated sensitive images such as sexually explicit images, extremely graphic or violent images, or Child Sex Abuse Material (CSAM) in reports. Amazon Bug Bounty will not review this material or reward it, and your account may be banned.\n\n## LLM/GenAI Vulnerabilities\n\n|Potential Vulnerabilities\t|Severity\t|Comments\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and influencing factors. Please make sure to read notes above\t|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-anonymize users\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and influencing factors.\t|\n\n**Service \u0026 Apps Vulnerability Severity Ratings** \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n|Vulnerability\t|Severity Range\t|\n|---\t|---\t|\n|Remote Code Execution\t|Critical\t|\n|SQL Injection\t|High - Critical\t|\n|XXE\t|High - Critical\t|\n|XSS\t|Medium - High\t|\n|Server-Side Request Forgery\t|Low - Critical\t|\n|Directory Traversal - Local File Inclusion\t|Medium - High\t|\n|Authentication/Authorization Bypass (Broken Access Control)\t|Medium - High\t|\n|Privilege Escalation\t|Medium - High\t|\n|Insecure Direct Object Reference\t|Medium - Critical\t|\n|Misconfiguration\t|Low - High\t|\n|Web Cache Deception\t|Low - Medium\t|\n|CORS Misconfiguration\t|Low - Medium\t|\n|CRLF Injection\t|Low - Medium\t|\n|Cross Site Request Forgery\t|Low - Medium\t|\n|Open Redirect\t|Low - Medium\t|\n|Information Disclosure\t|Low - Medium\t|\n|Request smuggling\t|Low – Medium\t|\n|Mixed Content\t|Low\t|\n\n## Out-of-Scope Issues\n\n* Bitflipping, Bitsquatting\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n### Operational Security Issues\n\nThe goal of this program is to improve the security of our services for Customers. We do not reward, but will accept “Operational Security” (OpSec) submissions. OpSec issues include leaked employee passwords, password dumps, leaked business documents, etc. These submissions will only receive reputation points.\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\nWe require that you - \n\n* Do not access or collect any customer data. \n* Do not exploit security vulnerabilities for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy. \nAs long as you comply with this policy: \n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology. \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n To protect your privacy, we will not, unless served with legal process or to address a violation of this policy: \n\n* Share your PII with third parties.\n* Share your research without your permission.\n* Share your HackerOne points, or participation without your permission.\n\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-25T23:34:12.969Z"},{"id":3766573,"new_policy":"# Amazon Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Fire branded devices and tablets, Echo, Kindle, Blink, Alexa, and Luna Gaming devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n* You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n## Restrictions\n\nTo be eligible for the program, you must not:\n\n* Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n* Be employed by Amazon or any subsidiaries of Amazon.\n* Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n## Additional Rules of Engagement\n\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo. Our concern in using 3rd party infrastructure is around exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n   * **Not using a version hosted yourself, will result in complete forfeiture of any reward.** \n* DOS/DDOS is out of scope on web properties\n\n## Bypass Reports\n\nIf you find a bypass of a previous report you’ve created, or we ask that you create a new report due to the content being different enough, please fill out the Custom Field `Bypass Reference` with the original ID of the finding. This has no bearing on reward, it just helps Amazon with secondary data tracking.\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using [yourh1username@wearehackerone.com](mailto:yourh1username@wearehackerone.com)\n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options: \n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**\n This program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software. \n\n* The Bug Bounty program covers all Amazon-branded or manufactured devices sold by Amazon or an authorized retailer, including all Fire devices and tablets, Echo, Kindle, Blink, Alexa, and Luna Gaming devices that are running the latest available software.\n\n**Software Update Reference**\n\n* [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)\n* [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)\n* [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)\n* [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)\n* [Blink Software Versions](https://support.blinkforhome.com/en_US/security-and-app-updates/2016136)\n* [Luna Controller Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=G6F4QENEFP5Q5JRZ)\n\n**In Scope Services \u0026 Apps**\n_In Scope Mobile Application Packages:_\n\n|Name\t|Android Package Name\t|Apple iOS App ID\t|\n|---\t|---\t|---\t|\n|FreeTime\t|com.amazon.tahoe.freetime\t|1324809509\t|\n|Alexa Companion App\t|com.amazon.dee.app\t|944011620\t|\n|FireTV (Bison)\t|com.amazon.storm.lightning.client.aosp\t|947984433\t|\n|Kindle\t|com.amazon.kindle\t|302584613\t|\n|Amazon Photos\t|com.amazon.clouddrive.photos\t|621574163\t|\n|Amazon Key\t|com.amazon.cosmos\t|1291586307\t|\n|Amazon Luna\t|com.amazon.tails\t|1528364633\t|\n\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains:_\n\n|Name\t|Domain\t|\n|---\t|---\t|\n|Alexa Developer\t|[developer.amazon.com/alexa/*](http://developer.amazon.com/alexa/)\t|\n|Amazon App Store\t|[developer.amazon.com/apps-and-games/*](http://developer.amazon.com/apps-and-games/)\t|\n|Alexa Web\t|[alexa.amazon.com](http://alexa.amazon.com/)\t|\n|Skills Store\t|[skills-store.amazon.com](http://skills-store.amazon.com/)\t|\n|Kindle Cloud Reader\t|[read.amazon.com](http://read.amazon.com/)\t|\n|Kindle Publishing\t|[https://kdp.amazon.com](https://kdp.amazon.com/)\t|\n|Alexa Answers\t|[alexaanswers.amazon.com](http://alexaanswers.amazon.com/)\t|\n|Alexa BluePrints\t|[blueprints.amazon.com](http://blueprints.amazon.com/)\t|\n|Amazon FireTV App Creator\t|[creator.amazon.com](http://creator.amazon.com/)\t|\n|Device Content Manager\t|[amazon.com/hz/mycd/*](http://amazon.com/hz/mycd/)\t|\n|Amazon Photos\t|https://www.amazon.com/photos/\t|\n|Amazon Luna\t|https://luna.amazon.com/\t|\n|Alexa API\t|https://api.amazonalexa.com/\t|\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n**The Severity mentions below are a guideline, and not definitive. There may be situations where compensating controls or complexity of exploit decrease or increase severity.**\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices** \n*Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.*\n\n**Critical**\n Critical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.\n\n**High**\n High vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.\n\n**Medium**\nMedium vulnerabilities may allow a local attacker to cause temporary device failure requiring a factory reset with local access vector. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.\n\n**Low**\n Low vulnerabilities that may not pose a direct security impact to customer or the device such as parental control bypasses.\n\n## **GenAI Details and Assessment Considerations**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context: \n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String \n    * Security Impact\n\nPlease note that any reports related to the prompt response content are out of scope where there is no clear application security impact and the potential issue is about responsible AI usage. We will not reward on these reports and close them as informative unless there is direct application security impact on the in-scope GenAI applications. Few examples for these out-of-scope reports are generation of inappropriate text/visual content with the model, get inappropriate suggestions from the model, malicious code generation. Any issues which are result of model hallucinations are out scope as well.\n\n**IMPORTANT NOTE:** DO NOT submit generated sensitive images such as sexually explicit images, extremely graphic or violent images, or Child Sex Abuse Material (CSAM) in reports. Amazon Bug Bounty will not review this material or reward it, and your account may be banned.\n\n## LLM/GenAI Vulnerabilities\n\n|Potential Vulnerabilities\t|Severity\t|Comments\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and influencing factors. Please make sure to read notes above\t|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-anonymize users\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and influencing factors.\t|\n\n**Service \u0026 Apps Vulnerability Severity Ratings** \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n|Vulnerability\t|Severity Range\t|\n|---\t|---\t|\n|Remote Code Execution\t|Critical\t|\n|SQL Injection\t|High - Critical\t|\n|XXE\t|High - Critical\t|\n|XSS\t|Medium - High\t|\n|Server-Side Request Forgery\t|Low - Critical\t|\n|Directory Traversal - Local File Inclusion\t|Medium - High\t|\n|Authentication/Authorization Bypass (Broken Access Control)\t|Medium - High\t|\n|Privilege Escalation\t|Medium - High\t|\n|Insecure Direct Object Reference\t|Medium - Critical\t|\n|Misconfiguration\t|Low - High\t|\n|Web Cache Deception\t|Low - Medium\t|\n|CORS Misconfiguration\t|Low - Medium\t|\n|CRLF Injection\t|Low - Medium\t|\n|Cross Site Request Forgery\t|Low - Medium\t|\n|Open Redirect\t|Low - Medium\t|\n|Information Disclosure\t|Low - Medium\t|\n|Request smuggling\t|Low – Medium\t|\n|Mixed Content\t|Low\t|\n\n## Out-of-Scope Issues\n\n* Bitflipping, Bitsquatting\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n### Operational Security Issues\n\nThe goal of this program is to improve the security of our services for Customers. We do not reward, but will accept “Operational Security” (OpSec) submissions. OpSec issues include leaked employee passwords, password dumps, leaked business documents, etc. These submissions will only receive reputation points.\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\nWe require that you - \n\n* Do not access or collect any customer data. \n* Do not exploit security vulnerabilities for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy. \nAs long as you comply with this policy: \n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology. \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n To protect your privacy, we will not, unless served with legal process or to address a violation of this policy: \n\n* Share your PII with third parties.\n* Share your research without your permission.\n* Share your HackerOne points, or participation without your permission.\n\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-25T23:29:58.098Z"},{"id":3762212,"new_policy":"# Amazon Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Fire branded devices and tablets, Echo, Kindle, Blink, Alexa, and Luna Gaming devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n* You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n## Restrictions\n\nTo be eligible for the program, you must not:\n\n* Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n* Be employed by Amazon or any subsidiaries of Amazon.\n* Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n## Additional Rules of Engagement\n\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo. Our concern in using 3rd party infrastructure is around exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n   * **Not using a version hosted yourself, will result in complete forfeiture of any reward.** \n* DOS/DDOS is out of scope on web properties\n\n## Bypass Reports\n\nIf you find a bypass of a previous report you’ve created, or we ask that you create a new report due to the content being different enough, please fill out the Custom Field `Bypass Reference` with the original ID of the finding. This has no bearing on reward, it just helps Amazon with secondary data tracking.\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using [yourh1username@wearehackerone.com](mailto:yourh1username@wearehackerone.com)\n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options: \n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**\n This program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software. \n\n* The Bug Bounty program covers all Amazon-branded or manufactured devices sold by Amazon or an authorized retailer, including all Fire devices and tablets, Echo, Kindle, Blink, Alexa, and Luna Gaming devices that are running the latest available software.\n\n**Software Update Reference**\n\n* [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)\n* [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)\n* [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)\n* [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)\n* [Blink Software Versions](https://support.blinkforhome.com/en_US/security-and-app-updates/2016136)\n* [Luna Controller Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=G6F4QENEFP5Q5JRZ)\n\n**In Scope Services \u0026 Apps**\n_In Scope Mobile Application Packages:_\n\n|Name\t|Android Package Name\t|Apple iOS App ID\t|\n|---\t|---\t|---\t|\n|FreeTime\t|com.amazon.tahoe.freetime\t|1324809509\t|\n|Alexa Companion App\t|com.amazon.dee.app\t|944011620\t|\n|FireTV (Bison)\t|com.amazon.storm.lightning.client.aosp\t|947984433\t|\n|Kindle\t|com.amazon.kindle\t|302584613\t|\n|Amazon Photos\t|com.amazon.clouddrive.photos\t|621574163\t|\n|Amazon Key\t|com.amazon.cosmos\t|1291586307\t|\n|Amazon Luna\t|com.amazon.tails\t|1528364633\t|\n\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains:_\n\n|Name\t|Domain\t|\n|---\t|---\t|\n|Alexa Developer\t|[developer.amazon.com/alexa/*](http://developer.amazon.com/alexa/)\t|\n|Amazon App Store\t|[developer.amazon.com/apps-and-games/*](http://developer.amazon.com/apps-and-games/)\t|\n|Alexa Web\t|[alexa.amazon.com](http://alexa.amazon.com/)\t|\n|Skills Store\t|[skills-store.amazon.com](http://skills-store.amazon.com/)\t|\n|Kindle Cloud Reader\t|[read.amazon.com](http://read.amazon.com/)\t|\n|Kindle Publishing\t|[https://kdp.amazon.com](https://kdp.amazon.com/)\t|\n|Alexa Answers\t|[alexaanswers.amazon.com](http://alexaanswers.amazon.com/)\t|\n|Alexa BluePrints\t|[blueprints.amazon.com](http://blueprints.amazon.com/)\t|\n|Amazon FireTV App Creator\t|[creator.amazon.com](http://creator.amazon.com/)\t|\n|Device Content Manager\t|[amazon.com/hz/mycd/*](http://amazon.com/hz/mycd/)\t|\n|Amazon Photos\t|https://www.amazon.com/photos/\t|\n|Amazon Luna\t|https://luna.amazon.com/\t|\n|Alexa API\t|https://api.amazonalexa.com/\t|\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices** \n*Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.*\n\n**Critical**\n Critical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.\n\n**High**\n High vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.\n\n**Medium**\nMedium vulnerabilities may allow a local attacker to cause temporary device failure requiring a factory reset with local access vector. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.\n\n**Low**\n Low vulnerabilities that may not pose a direct security impact to customer or the device such as parental control bypasses.\n\n## **GenAI Details and Assessment Considerations**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context: \n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String \n    * Security Impact\n\nPlease note that any reports related to the prompt response content are out of scope where there is no clear application security impact and the potential issue is about responsible AI usage. We will not reward on these reports and close them as informative unless there is direct application security impact on the in-scope GenAI applications. Few examples for these out-of-scope reports are generation of inappropriate text/visual content with the model, get inappropriate suggestions from the model, malicious code generation. Any issues which are result of model hallucinations are out scope as well.\n\n**IMPORTANT NOTE:** DO NOT submit generated sensitive images such as sexually explicit images, extremely graphic or violent images, or Child Sex Abuse Material (CSAM) in reports. Amazon Bug Bounty will not review this material or reward it, and your account may be banned.\n\n## LLM/GenAI Vulnerabilities\n\n|Potential Vulnerabilities\t|Severity\t|Comments\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and influencing factors. Please make sure to read notes above\t|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-anonymize users\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and influencing factors.\t|\n\n**Service \u0026 Apps Vulnerability Severity Ratings** \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n|Vulnerability\t|Severity Range\t|\n|---\t|---\t|\n|Remote Code Execution\t|Critical\t|\n|SQL Injection\t|High - Critical\t|\n|XXE\t|High - Critical\t|\n|XSS\t|Medium - High\t|\n|Server-Side Request Forgery\t|Low - Critical\t|\n|Directory Traversal - Local File Inclusion\t|Medium - High\t|\n|Authentication/Authorization Bypass (Broken Access Control)\t|Medium - High\t|\n|Privilege Escalation\t|Medium - High\t|\n|Insecure Direct Object Reference\t|Medium - Critical\t|\n|Misconfiguration\t|Low - High\t|\n|Web Cache Deception\t|Low - Medium\t|\n|CORS Misconfiguration\t|Low - Medium\t|\n|CRLF Injection\t|Low - Medium\t|\n|Cross Site Request Forgery\t|Low - Medium\t|\n|Open Redirect\t|Low - Medium\t|\n|Information Disclosure\t|Low - Medium\t|\n|Request smuggling\t|Low – Medium\t|\n|Mixed Content\t|Low\t|\n\n## Out-of-Scope Issues\n\n* Bitflipping, Bitsquatting\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n### Operational Security Issues\n\nThe goal of this program is to improve the security of our services for Customers. We do not reward, but will accept “Operational Security” (OpSec) submissions. OpSec issues include leaked employee passwords, password dumps, leaked business documents, etc. These submissions will only receive reputation points.\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\nWe require that you - \n\n* Do not access or collect any customer data. \n* Do not exploit security vulnerabilities for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy. \nAs long as you comply with this policy: \n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology. \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n To protect your privacy, we will not, unless served with legal process or to address a violation of this policy: \n\n* Share your PII with third parties.\n* Share your research without your permission.\n* Share your HackerOne points, or participation without your permission.\n\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-03T00:43:16.213Z"},{"id":3762210,"new_policy":"# Amazon Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Fire branded devices and tablets, Echo, Kindle, Blink, Alexa, and Luna Gaming devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n* You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n## Restrictions\n\nTo be eligible for the program, you must not:\n\n* Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n* Be employed by Amazon or any subsidiaries of Amazon.\n* Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n## Additional Rules of Engagement\n\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo. Our concern in using 3rd party infrastructure is around exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n* DOS/DDOS is out of scope on web properties\n\n**Not using a version hosted yourself, will result in complete forfeiture of any reward.** \n\n## Bypass Reports\n\nIf you find a bypass of a previous report you’ve created, or we ask that you create a new report due to the content being different enough, please fill out the Custom Field `Bypass Reference` with the original ID of the finding. This has no bearing on reward, it just helps Amazon with secondary data tracking.\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using [yourh1username@wearehackerone.com](mailto:yourh1username@wearehackerone.com)\n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options: \n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**\n This program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software. \n\n* The Bug Bounty program covers all Amazon-branded or manufactured devices sold by Amazon or an authorized retailer, including all Fire devices and tablets, Echo, Kindle, Blink, Alexa, and Luna Gaming devices that are running the latest available software.\n\n**Software Update Reference**\n\n* [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)\n* [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)\n* [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)\n* [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)\n* [Blink Software Versions](https://support.blinkforhome.com/en_US/security-and-app-updates/2016136)\n* [Luna Controller Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=G6F4QENEFP5Q5JRZ)\n\n**In Scope Services \u0026 Apps**\n_In Scope Mobile Application Packages:_\n\n|Name\t|Android Package Name\t|Apple iOS App ID\t|\n|---\t|---\t|---\t|\n|FreeTime\t|com.amazon.tahoe.freetime\t|1324809509\t|\n|Alexa Companion App\t|com.amazon.dee.app\t|944011620\t|\n|FireTV (Bison)\t|com.amazon.storm.lightning.client.aosp\t|947984433\t|\n|Kindle\t|com.amazon.kindle\t|302584613\t|\n|Amazon Photos\t|com.amazon.clouddrive.photos\t|621574163\t|\n|Amazon Key\t|com.amazon.cosmos\t|1291586307\t|\n|Amazon Luna\t|com.amazon.tails\t|1528364633\t|\n\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains:_\n\n|Name\t|Domain\t|\n|---\t|---\t|\n|Alexa Developer\t|[developer.amazon.com/alexa/*](http://developer.amazon.com/alexa/)\t|\n|Amazon App Store\t|[developer.amazon.com/apps-and-games/*](http://developer.amazon.com/apps-and-games/)\t|\n|Alexa Web\t|[alexa.amazon.com](http://alexa.amazon.com/)\t|\n|Skills Store\t|[skills-store.amazon.com](http://skills-store.amazon.com/)\t|\n|Kindle Cloud Reader\t|[read.amazon.com](http://read.amazon.com/)\t|\n|Kindle Publishing\t|[https://kdp.amazon.com](https://kdp.amazon.com/)\t|\n|Alexa Answers\t|[alexaanswers.amazon.com](http://alexaanswers.amazon.com/)\t|\n|Alexa BluePrints\t|[blueprints.amazon.com](http://blueprints.amazon.com/)\t|\n|Amazon FireTV App Creator\t|[creator.amazon.com](http://creator.amazon.com/)\t|\n|Device Content Manager\t|[amazon.com/hz/mycd/*](http://amazon.com/hz/mycd/)\t|\n|Amazon Photos\t|https://www.amazon.com/photos/\t|\n|Amazon Luna\t|https://luna.amazon.com/\t|\n|Alexa API\t|https://api.amazonalexa.com/\t|\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices** \n*Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.*\n\n**Critical**\n Critical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.\n\n**High**\n High vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.\n\n**Medium**\nMedium vulnerabilities may allow a local attacker to cause temporary device failure requiring a factory reset with local access vector. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.\n\n**Low**\n Low vulnerabilities that may not pose a direct security impact to customer or the device such as parental control bypasses.\n\n## **GenAI Details and Assessment Considerations**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context: \n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String \n    * Security Impact\n\nPlease note that any reports related to the prompt response content are out of scope where there is no clear application security impact and the potential issue is about responsible AI usage. We will not reward on these reports and close them as informative unless there is direct application security impact on the in-scope GenAI applications. Few examples for these out-of-scope reports are generation of inappropriate text/visual content with the model, get inappropriate suggestions from the model, malicious code generation. Any issues which are result of model hallucinations are out scope as well.\n\n**IMPORTANT NOTE:** DO NOT submit generated sensitive images such as sexually explicit images, extremely graphic or violent images, or Child Sex Abuse Material (CSAM) in reports. Amazon Bug Bounty will not review this material or reward it, and your account may be banned.\n\n## LLM/GenAI Vulnerabilities\n\n|Potential Vulnerabilities\t|Severity\t|Comments\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and influencing factors. Please make sure to read notes above\t|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-anonymize users\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and influencing factors.\t|\n\n**Service \u0026 Apps Vulnerability Severity Ratings** \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n|Vulnerability\t|Severity Range\t|\n|---\t|---\t|\n|Remote Code Execution\t|Critical\t|\n|SQL Injection\t|High - Critical\t|\n|XXE\t|High - Critical\t|\n|XSS\t|Medium - High\t|\n|Server-Side Request Forgery\t|Low - Critical\t|\n|Directory Traversal - Local File Inclusion\t|Medium - High\t|\n|Authentication/Authorization Bypass (Broken Access Control)\t|Medium - High\t|\n|Privilege Escalation\t|Medium - High\t|\n|Insecure Direct Object Reference\t|Medium - Critical\t|\n|Misconfiguration\t|Low - High\t|\n|Web Cache Deception\t|Low - Medium\t|\n|CORS Misconfiguration\t|Low - Medium\t|\n|CRLF Injection\t|Low - Medium\t|\n|Cross Site Request Forgery\t|Low - Medium\t|\n|Open Redirect\t|Low - Medium\t|\n|Information Disclosure\t|Low - Medium\t|\n|Request smuggling\t|Low – Medium\t|\n|Mixed Content\t|Low\t|\n\n## Out-of-Scope Issues\n\n* Bitflipping, Bitsquatting\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n### Operational Security Issues\n\nThe goal of this program is to improve the security of our services for Customers. We do not reward, but will accept “Operational Security” (OpSec) submissions. OpSec issues include leaked employee passwords, password dumps, leaked business documents, etc. These submissions will only receive reputation points.\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\nWe require that you - \n\n* Do not access or collect any customer data. \n* Do not exploit security vulnerabilities for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy. \nAs long as you comply with this policy: \n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology. \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n To protect your privacy, we will not, unless served with legal process or to address a violation of this policy: \n\n* Share your PII with third parties.\n* Share your research without your permission.\n* Share your HackerOne points, or participation without your permission.\n\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-03T00:33:55.427Z"},{"id":3761238,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure is around exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n* DOS/DDOS is out of scope on web properties\n\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n## Bypass Reports  \nIf you find a bypass of a previous report you’ve created, or we ask that you create a new report due to the content being different enough, please fill out the Custom Field `Bypass Reference` with the original ID of the finding. This has no bearing on reward, it just helps Amazon with secondary data tracking.\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices**  \n  \n*Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.\n  \n**High**  \nHigh severity vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.\n  \n**Medium**  \nVulnerabilities that could allow a local attacker to cause temporary device failure requiring a factory reset with local access vector would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.\n  \n**Low**  \nLow security vulnerabilities that may not pose a direct security impact to customer or the device such as parental control bypasses.\n\n## **GenAI Details and Assessment Considerations**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String\n    * Security Impact\n\nPlease note that any reports related to the prompt response content are out of scope where there is no clear application security impact and the potential issue is about responsible AI usage. We will not reward on these reports and close them as informative unless there is direct application security impact on the in-scope GenAI applications. Few examples for these out-of-scope reports are generation of inappropriate text/visual content with the model, get inappropriate suggestions from the model, malicious code generation. Any issues which are result of model hallucinations are out scope as well.\n\n**IMPORTANT NOTE: ** DO NOT submit generated sensitive images such as sexually explicit images, extremely graphic or violent images, or CSAM (Child Sex Abuse Material) in reports. Amazon Bug Bounty will not review this material or reward it. \n\n\n## LLM/GenAI Vulnerabilities\n\n|**Potential Vulnerabilities**\t|**Severity**\t|**Comments**\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and influencing factors.\tPlease make sure to read notes above|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-ananoymize users\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and influencing factors.\t|\n\n\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n##Out-of-Scope Issues\n* Bitflipping, Bitsquatting\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n### Operational Security Issues \nThe goal of this program is to improve the security of our services for Customers. We do not reward, but will accept “Operational Security” (OpSec) submissions. OpSec issues include leaked employee passwords, leaked business documents, etc. These submissions will only receive reputation points.\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-15T23:12:10.016Z"},{"id":3756208,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure is around exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n* DOS/DDOS is out of scope on web properties\n\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n## Bypass Reports  \nIf you find a bypass of a previous report you’ve created, or we ask that you create a new report due to the content being different enough, please fill out the Custom Field `Bypass Reference` with the original ID of the finding. This has no bearing on reward, it just helps Amazon with secondary data tracking.\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices**  \n  \n*Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.\n  \n**High**  \nHigh severity vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.\n  \n**Medium**  \nVulnerabilities that could allow a local attacker to cause temporary device failure requiring a factory reset with local access vector would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.\n  \n**Low**  \nLow security vulnerabilities that may not pose a direct security impact to customer or the device such as parental control bypasses.\n\n## **GenAI Details and Assessment Considerations**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String\n    * Security Impact\n\nPlease note that any reports related to the prompt response content are out of scope where there is no clear application security impact and the potential issue is about responsible AI usage. We will not reward on these reports and close them as informative unless there is direct application security impact on the in-scope GenAI applications. Few examples for these out-of-scope reports are generation of inappropriate text/visual content with the model, get inappropriate suggestions from the model, malicious code generation. Any issues which are result of model hallucinations are out scope as well.\n\n**IMPORTANT NOTE: ** DO NOT submit generated sensitive images such as sexually explicit images, extremely graphic or violent images, or CSAM (Child Sex Abuse Material) in reports. Amazon Bug Bounty will not review this material or reward it. \n\n\n## LLM/GenAI Vulnerabilities\n\n|**Potential Vulnerabilities**\t|**Severity**\t|**Comments**\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and influencing factors.\tPlease make sure to read notes above|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-ananoymize users\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and influencing factors.\t|\n\n\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-23T21:59:44.811Z"},{"id":3755121,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure is around exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n* DOS/DDOS is out of scope on web properties\n\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices**  \n  \n*Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.\n  \n**High**  \nHigh severity vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.\n  \n**Medium**  \nVulnerabilities that could allow a local attacker to cause temporary device failure requiring a factory reset with local access vector would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.\n  \n**Low**  \nLow security vulnerabilities that may not pose a direct security impact to customer or the device such as parental control bypasses.\n\n## **GenAI Details and Assessment Considerations**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String\n    * Security Impact\n\nPlease note that any reports related to the prompt response content are out of scope where there is no clear application security impact and the potential issue is about responsible AI usage. We will not reward on these reports and close them as informative unless there is direct application security impact on the in-scope GenAI applications. Few examples for these out-of-scope reports are generation of inappropriate text/visual content with the model, get inappropriate suggestions from the model, malicious code generation. Any issues which are result of model hallucinations are out scope as well.\n\n**IMPORTANT NOTE: ** DO NOT submit generated sensitive images such as sexually explicit images, extremely graphic or violent images, or CSAM (Child Sex Abuse Material) in reports. Amazon Bug Bounty will not review this material or reward it. \n\n\n## LLM/GenAI Vulnerabilities\n\n|**Potential Vulnerabilities**\t|**Severity**\t|**Comments**\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and influencing factors.\tPlease make sure to read notes above|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-ananoymize users\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and influencing factors.\t|\n\n\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-08T17:38:35.999Z"},{"id":3754948,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure is around exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n* DOS/DDOS is out of scope on web properties\n\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices**  \n  \n*Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.\n  \n**High**  \nHigh severity vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.\n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app. Parental control bypasses are also at this level.\n\n## **GenAI Details and Assessment Considerations**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String\n    * Security Impact\n\nPlease note that any reports related to the prompt response content are out of scope where there is no clear application security impact and the potential issue is about responsible AI usage. We will not reward on these reports and close them as informative unless there is direct application security impact on the in-scope GenAI applications. Few examples for these out-of-scope reports are generation of inappropriate text/visual content with the model, get inappropriate suggestions from the model, malicious code generation. Any issues which are result of model hallucinations are out scope as well.\n\n**IMPORTANT NOTE: ** DO NOT submit generated sensitive images such as sexually explicit images, extremely graphic or violent images, or CSAM (Child Sex Abuse Material) in reports. Amazon Bug Bounty will not review this material or reward it. \n\n\n## LLM/GenAI Vulnerabilities\n\n|**Potential Vulnerabilities**\t|**Severity**\t|**Comments**\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and influencing factors.\tPlease make sure to read notes above|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-ananoymize users\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and influencing factors.\t|\n\n\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-06T18:11:58.991Z"},{"id":3754341,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure is around exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n* DOS/DDOS is out of scope on web properties\n\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices**  \n  \n*Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.\n  \n**High**  \nHigh severity vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.\n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app. Parental control bypasses are also at this level.\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-24T19:11:22.060Z"},{"id":3751727,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure is around exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n* DOS/DDOS is out of scope on web properties\n\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices**  \n  \n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps.\n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app. Parental control bypasses are also at this level.\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-13T19:43:16.414Z"},{"id":3746366,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n* DOS/DDOS is out of scope on web properties\n\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices**  \n  \n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps.\n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app. Parental control bypasses are also at this level.\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-12-10T18:17:59.450Z"},{"id":3745641,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n* Any application level DoS testing should be done by adding cache buster parameters to avoid any direct customer impact. \n   * For example, https://domain.com/endpoint?cb=test , in this case `cb` is added as a cache buster to prevent any customer impact.\n\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices**  \n  \n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps.\n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app. Parental control bypasses are also at this level.\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-12-03T04:53:57.883Z"},{"id":3743244,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n* Any application level DoS testing should be done by adding cache buster parameters to avoid any direct customer impact. \n   * For example, https://domain.com/endpoint?cb=test , in this case `cb` is added as a cache buster to prevent any customer impact.\n\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices**  \n  \n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, installing apps, or parental control bypasses are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-29T23:04:42.697Z"},{"id":3743243,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices**  \n  \n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, installing apps, or parental control bypasses are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-29T23:03:46.176Z"},{"id":3743236,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n* Any application level DoS testing should be done by adding cache buster parameters to avoid any direct customer impact. \n   * For example, https://domain.com/endpoint?cb=test , in this case `cb` is added as a cache buster to prevent any customer impact.\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices**  \n  \n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, installing apps, or parental control bypasses are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-29T22:50:43.539Z"},{"id":3736171,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices**  \n  \n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, installing apps, or parental control bypasses are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES","CHAINED_VULNERABILITIES"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-14T21:16:43.344Z"},{"id":3732763,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices**  \n  \n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, installing apps, or parental control bypasses are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-17T20:39:34.016Z"},{"id":3732075,"new_policy":"==**At 10:00 UTC July 15th, HackerOne is updating to a new policy format that will provide better clarity and structure. This functionality makes it clear how Amazon's program behaves. Note that when this functionality goes live, the settings will not immediately reflect the true status of things. Until UTC 00:00 July 19th, please follow the policy as it's written and not the newly created modals. Thank you.**==\n\n#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices**  \n  \n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, installing apps, or parental control bypasses are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-11T23:04:09.023Z"},{"id":3731880,"new_policy":"==**At 10:00 UTC July 10th, HackerOne is updating to a new policy format that will provide better clarity and structure. This functionality makes it clear how Amazon's program behaves. Note that when this functionality goes live, the settings will not immediately reflect the true status of things. Until UTC 00:00 July 13th, please follow the policy as it's written and not the newly created modals. Thank you.**==\n\n#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices**  \n  \n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, installing apps, or parental control bypasses are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-10T00:31:11.634Z"},{"id":3708357,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n**Severity Rating for Devices**  \n  \n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, installing apps, or parental control bypasses are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-30T23:53:33.650Z"},{"id":3699656,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n**Severity Rating for Devices**  \n  \n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, installing apps, or parental control bypasses are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-08T21:17:45.957Z"},{"id":3685430,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n-  **Halo:** Halo View, Halo\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Halo                | com.amazon.healthtech.malibu           | 1496435377       |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n**Severity Rating for Devices**  \n  \n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, installing apps, or parental control bypasses are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-27T23:41:04.704Z"},{"id":3683200,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n* Do not test `Contact Us` based functionality.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n-  **Halo:** Halo View, Halo\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Halo                | com.amazon.healthtech.malibu           | 1496435377       |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n**Severity Rating for Devices**  \n  \n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings or installing apps are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-08T19:13:09.257Z"},{"id":3678789,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n- Do not test `Contact Us` based functionality.\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n-  **Halo:** Halo View, Halo\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Halo                | com.amazon.healthtech.malibu           | 1496435377       |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n**Severity Rating for Devices**  \n  \n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings or installing apps are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-10-19T16:49:08.044Z"},{"id":3677463,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n##Additional Rules of Engagement\n- Do not test `Contact Us` based functionality.\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n-  **Halo:** Halo View, Halo\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Halo                | com.amazon.healthtech.malibu           | 1496435377       |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amaazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n**Severity Rating for Devices**  \n  \n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings or installing apps are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-19T23:37:47.601Z"},{"id":3677278,"new_policy":"#Amazon VRP Devices and Services Bug Bounty Program Overview\n\nSafeguarding our customers’ security is a top priority. We recognize that performing high quality security research requires considerable amount of effort, time, and skills investment from researchers. We value the contributions of external security researchers who help bring potential issues to our attention and further protect our customers/improve the security of our devices and services. The Amazon Devices and Services bug bounty program is designed to recognize security research on our consumer electronics - Kindle E-Readers, Tablets, Fire TV, and Echo family devices, associated cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of The Amazon Devices and Services Bug Bounty Program.\n\n## Amazon Devices and Services Bug Bounty Program Process\n\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal. \n  \nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements - \n\n-   Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n-   Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n-   Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n-   Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on Amazon Digital products.\n-   You must be available to provide additional information if needed by us to reproduce and investigate your report.\n-   You must abide by the HackerOne’s [Finder Terms and Conditions](https://www.hackerone.com/terms/finder)\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Restrictions\n\nTo be eligible for the program, you must not:\n\n- Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions.\n- Be employed by Amazon or any subsidiaries of Amazon.\n- Be an immediate family member of a person employed by Amazon or any subsidiaries of Amazon.\n\n\n\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string `amazonvrpresearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n\n## Devices and Services Bug Bounty Program Scope\n\n**In Scope Devices**  \nThis program sponsors the vulnerabilities discovered on devices (listed below) that are running latest available software.   \n\n-  **FireTV:** Fire TV Stick (Gen 3), Amazon Fire TV Cube (Gen 2), Fire TV Stick Lite, Fire TV Blaster.\n-  **Echo Family Devices:** Echo (Gen 4), Echo Dot (Gen 4), Echo Dot with Clock (Gen 4), Echo Show 10, Echo Flex, Echo Buds, Echo Frames, Echo Auto.\n-  **Tablets:** Fire HD 8 (Gen 10), Fire 7\" (Gen 9), Fire HD 10 (Gen 9)\n-  **Kindle E-Reader:** Kindle Oasis (Gen 10), Kindle (Gen 10).\n-  **Luna:** Luna Controller\n-  **Halo:** Halo View, Halo\n\n\n**Software Update Reference**\n\n- [Kindle E-Reader Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW)  \n- [FireTV Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=201497590)  \n- [Echo Software Versions](https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY)  \n- [Fire Tablet Software Version](https://www.amazon.com/gp/help/customer/display.html?nodeId=G2JXLC4L34GX73TE)  \n  \n**In Scope Services \u0026 Apps**  \n_In Scope Mobile Application Packages:_\n\n\n| Name                | Android Package Name                   | Apple iOS App ID |\n|---------------------|----------------------------------------|------------------|\n| FreeTime            | com.amazon.tahoe.freetime              | 1324809509       |\n| Alexa Companion App | com.amazon.dee.app                     | 944011620        |\n| FireTV (Bison)      | com.amazon.storm.lightning.client.aosp | 947984433        |\n| Halo                | com.amazon.healthtech.malibu           | 1496435377       |\n| Kindle              | com.amazon.kindle                      | 302584613        |\n| Amazon Photos              | com.amazon.clouddrive.photos                      | 621574163       |\n| Amazon Key              | com.amazon.cosmos                      | 1291586307        |\n| Amazon Luna              | com.amazon.tails                      | 1528364633        |\n==(**Note:** Reports on outdated version/builds are out of scope)==\n\n_In Scope Web Applications Domains_\n\n| Name | Domain |\n|---------------------------|---------------------------------------|\n| Alexa Developer           |  developer.amazon.com/alexa/* |\n| Amazon App Store          | developer.amazon.com/apps-and-games/* |\n| Alexa Web                 | alexa.amazon.com                      |\n| Skills Store              | skills-store.amazon.com               |\n| Kindle Cloud Reader       | read.amazon.com                       |\n| Alexa Answers             | alexaanswers.amazon.com               |\n| Alexa BluePrints          | blueprints.amazon.com                 |\n| Amazon FireTV App Creator | creator.amazon.com                    |\n| Device Content Manager    | amazon.com/hz/mycd/*                  |\n| Alexa 4 Kids    | a4k.amaazon.com                  |\n| Amazon Photos    | https://www.amazon.com/photos/*                  |\n| Amazon Luna    | TBD                  |\n| Alexa API    | https://api.amazonalexa.com/*                  |\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description. In all cases, Amazon reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n**Severity Rating for Devices**  \n  \n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings or installing apps are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n**Service \u0026 Apps Vulnerability Severity Ratings**  \n  \nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n| Vulnerability | Severity Range |\n|-|-|\n| Remote Code Execution | Critical |\n| SQL Injection | High - Critical |\n| XXE | High - Critical |\n| XSS | Medium - High |\n| Server-Side Request Forgery | Low - Critical |\n| Directory Traversal - Local File Inclusion | Medium - High |\n| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |\n| Privilege Escalation | Medium - High |\n| Insecure Direct Object Reference | Medium - Critical |\n| Misconfiguration | Low - High |\n| Web Cache Deception | Low - Medium |\n| CORS Misconfiguration | Low - Medium |\n| CRLF Injection | Low - Medium |\n| Cross Site Request Forgery | Low - Medium |\n| Open Redirect | Low - Medium |\n| Information Disclosure | Low - Medium |\n| Request smuggling | Low – Medium |\n| Mixed Content | Low |\n\n## Responsible Research and Disclosure Policy\n\nBy participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n\nWe require that you -  \n\n-   Do not access or collect any customer data. \n-   Do not exploit security vulnerabilities for any other purposes than for testing.\n-   Must not publicly disclose any information regarding the reported issue without written consent from Amazon\n-   In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.  \n  \nAs long as you comply with this policy:  \n\n-   We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n-   We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.  \n  \nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.  \nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:  \n\n-   Share your PII with third parties.\n-   Share your research without your permission.\n-   Share your HackerOne points, or participation without your permission.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-13T15:48:30.244Z"}]