[{"id":3761236,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please submit reports via the [AWS Vulnerability Disclosure Program](https://hackerone.com/aws_vdp).\nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951    \n\n\n##Always out of scope and not reward eligible\n\nIMPORTANT NOTE: DO NOT submit generated sensitive images such as sexually explicit images, extremely graphic or violent images, or CSAM (Child Sex Abuse Material) in reports. Amazon Bug Bounty will not review this material or reward it.\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure is around exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.**Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n## Bypass Reports  \nIf you find a bypass of a previous report you’ve created, or we ask that you create a new report due to the content being different enough, please fill out the Custom Field `Bypass Reference` with the original ID of the finding. This has no bearing on reward, it just helps Amazon with secondary data tracking.\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n## **GenAI Details and Assessment Considerations**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String\n    * Security Impact\n\nPlease note that any reports related to the prompt response content are out of scope where there is no clear application security impact and the potential issue is about responsible AI usage. We will not reward on these reports and close them as informative unless there is direct application security impact on the in-scope GenAI applications. Few examples for these out-of-scope reports are generation of inappropriate text/visual content with the model, get inappropriate suggestions from the model, malicious code generation. Any issues which are result of model hallucinations are out scope as well.\n\n**IMPORTANT NOTE: ** DO NOT submit generated sensitive images such as sexually explicit images, extremely graphic or violent images, or CSAM (Child Sex Abuse Material) in reports. Amazon Bug Bounty will not review this material or reward it. \n\n\n## LLM/GenAI Vulnerabilities\n\n|**Potential Vulnerabilities**\t|**Severity**\t|**Comments**\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and influencing factors.\tPlease make sure to read notes above|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-ananoymize users\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and influencing factors.\t|\n\n\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Bitflipping, Bitsquatting\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n### Operational Security Issues \nThe goal of this program is to improve the security of our services for Customers. We do not reward, but will accept “Operational Security” (OpSec) submissions. OpSec issues include leaked employee passwords, leaked business documents, etc. These submissions will only receive reputation points.\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"Amazon rewards for each unique vulnerability defined by single fixes. If there are multiple submissions that impact multiple endpoints but these share a single fix, the first report would be accepted and the following would be considered duplicates.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-15T23:09:31.394Z"},{"id":3756206,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please submit reports via the [AWS Vulnerability Disclosure Program](https://hackerone.com/aws_vdp).\nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951    \n\n\n##Always out of scope and not reward eligible\n\nIMPORTANT NOTE: DO NOT submit generated sensitive images such as sexually explicit images, extremely graphic or violent images, or CSAM (Child Sex Abuse Material) in reports. Amazon Bug Bounty will not review this material or reward it.\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure is around exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.**Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n## Bypass Reports  \nIf you find a bypass of a previous report you’ve created, or we ask that you create a new report due to the content being different enough, please fill out the Custom Field `Bypass Reference` with the original ID of the finding. This has no bearing on reward, it just helps Amazon with secondary data tracking.\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n## **GenAI Details and Assessment Considerations**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String\n    * Security Impact\n\nPlease note that any reports related to the prompt response content are out of scope where there is no clear application security impact and the potential issue is about responsible AI usage. We will not reward on these reports and close them as informative unless there is direct application security impact on the in-scope GenAI applications. Few examples for these out-of-scope reports are generation of inappropriate text/visual content with the model, get inappropriate suggestions from the model, malicious code generation. Any issues which are result of model hallucinations are out scope as well.\n\n**IMPORTANT NOTE: ** DO NOT submit generated sensitive images such as sexually explicit images, extremely graphic or violent images, or CSAM (Child Sex Abuse Material) in reports. Amazon Bug Bounty will not review this material or reward it. \n\n\n## LLM/GenAI Vulnerabilities\n\n|**Potential Vulnerabilities**\t|**Severity**\t|**Comments**\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and influencing factors.\tPlease make sure to read notes above|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-ananoymize users\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and influencing factors.\t|\n\n\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Bitflipping, Bitsquatting\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"Amazon rewards for each unique vulnerability defined by single fixes. If there are multiple submissions that impact multiple endpoints but these share a single fix, the first report would be accepted and the following would be considered duplicates.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-23T21:58:34.201Z"},{"id":3754947,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please submit reports via the [AWS Vulnerability Disclosure Program](https://hackerone.com/aws_vdp).\nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951    \n\n\n##Always out of scope and not reward eligible\n\nIMPORTANT NOTE: DO NOT submit generated sensitive images such as sexually explicit images, extremely graphic or violent images, or CSAM (Child Sex Abuse Material) in reports. Amazon Bug Bounty will not review this material or reward it.\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure is around exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.**Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n## **GenAI Details and Assessment Considerations**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String\n    * Security Impact\n\nPlease note that any reports related to the prompt response content are out of scope where there is no clear application security impact and the potential issue is about responsible AI usage. We will not reward on these reports and close them as informative unless there is direct application security impact on the in-scope GenAI applications. Few examples for these out-of-scope reports are generation of inappropriate text/visual content with the model, get inappropriate suggestions from the model, malicious code generation. Any issues which are result of model hallucinations are out scope as well.\n\n**IMPORTANT NOTE: ** DO NOT submit generated sensitive images such as sexually explicit images, extremely graphic or violent images, or CSAM (Child Sex Abuse Material) in reports. Amazon Bug Bounty will not review this material or reward it. \n\n\n## LLM/GenAI Vulnerabilities\n\n|**Potential Vulnerabilities**\t|**Severity**\t|**Comments**\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and influencing factors.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and influencing factors.\tPlease make sure to read notes above|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-ananoymize users\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and influencing factors.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and influencing factors.\t|\n\n\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Bitflipping, Bitsquatting\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"Amazon rewards for each unique vulnerability defined by single fixes. If there are multiple submissions that impact multiple endpoints but these share a single fix, the first report would be accepted and the following would be considered duplicates.\"}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":\"Amazon provides a 25% bypass/incomplete fix bonus on any finding that has been closed for \\u003c6 months.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-06T18:11:20.982Z"},{"id":3752746,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please submit reports via the [AWS Vulnerability Disclosure Program](https://hackerone.com/aws_vdp).\nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951    \n\n**GenAI Details and Assessment Considerations for the above**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String\n    * Utterance information (for voice based GenAI)\n    * Security Impact\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n\n\n##Always out of scope and not reward eligible\n\nIMPORTANT NOTE: DO NOT submit generated sensitive images such as sexually explicit images, extremely graphic or violent images, or CSAM (Child Sex Abuse Material) in reports. Amazon Bug Bounty will not review this material or reward it.\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure is around exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.**Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n## LLM/GenAI Vulnerabilities\n\n|**Potential Vulnerabilities**\t|**Severity**\t|**Comments**\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and data classification.\t|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-ananoymize users\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and data classification.\t|\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Bitflipping, Bitsquatting\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"Amazon rewards for each unique vulnerability defined by single fixes. If there are multiple submissions that impact multiple endpoints but these share a single fix, the first report would be accepted and the following would be considered duplicates.\"}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":\"Amazon provides a 25% bypass/incomplete fix bonus on any finding that has been closed for \\u003c6 months.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-31T22:52:12.732Z"},{"id":3751726,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please submit reports via the [AWS Vulnerability Disclosure Program](https://hackerone.com/aws_vdp).\nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951    \n\n**GenAI Details and Assessment Considerations for the above**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String\n    * Utterance information (for voice based GenAI)\n    * Security Impact\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure is around exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.**Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n## LLM/GenAI Vulnerabilities\n\n|**Potential Vulnerabilities**\t|**Severity**\t|**Comments**\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and data classification.\t|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-ananoymize users\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and data classification.\t|\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Bitflipping, Bitsquatting\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"Amazon rewards for each unique vulnerability defined by single fixes. If there are multiple submissions that impact multiple endpoints but these share a single fix, the first report would be accepted and the following would be considered duplicates.\"}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":\"Amazon provides a 25% bypass/incomplete fix bonus on any finding that has been closed for \\u003c6 months.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-13T19:42:54.540Z"},{"id":3751259,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please submit reports via the [AWS Vulnerability Disclosure Program](https://hackerone.com/aws_vdp).\nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951    \n\n**GenAI Details and Assessment Considerations for the above**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String\n    * Utterance information (for voice based GenAI)\n    * Security Impact\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over. **Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n## LLM/GenAI Vulnerabilities\n\n|**Potential Vulnerabilities**\t|**Severity**\t|**Comments**\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and data classification.\t|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-ananoymize users\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and data classification.\t|\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Bitflipping, Bitsquatting\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"Amazon rewards for each unique vulnerability defined by single fixes. If there are multiple submissions that impact multiple endpoints but these share a single fix, the first report would be accepted and the following would be considered duplicates.\"}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":\"Amazon provides a 25% bypass/incomplete fix bonus on any finding that has been closed for \\u003c6 months.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-05T17:48:48.330Z"},{"id":3747758,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please submit reports via the [AWS Vulnerability Disclosure Program](https://hackerone.com/aws_vdp).\nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951    \n\n**GenAI Details and Assessment Considerations for the above**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String\n    * Utterance information (for voice based GenAI)\n    * Security Impact\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over. **Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n* Any cache poisoning related testing should be done by adding cache buster parameters to avoid any direct customer impact. \n   * For example, https://domain.com/endpoint?cb=test , in this case `cb` is added as a cache buster to prevent any customer impact.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n## LLM/GenAI Vulnerabilities\n\n|**Potential Vulnerabilities**\t|**Severity**\t|**Comments**\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and data classification.\t|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-ananoymize users\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and data classification.\t|\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Bitflipping, Bitsquatting\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"Amazon rewards for each unique vulnerability defined by single fixes. If there are multiple submissions that impact multiple endpoints but these share a single fix, the first report would be accepted and the following would be considered duplicates.\"}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":\"Amazon provides a 25% bypass/incomplete fix bonus on any finding that has been closed for \\u003c6 months.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-10T00:10:38.782Z"},{"id":3747522,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951    \n\n**GenAI Details and Assessment Considerations for the above**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String\n    * Utterance information (for voice based GenAI)\n    * Security Impact\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over. **Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n* Any cache poisoning related testing should be done by adding cache buster parameters to avoid any direct customer impact. \n   * For example, https://domain.com/endpoint?cb=test , in this case `cb` is added as a cache buster to prevent any customer impact.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n## LLM/GenAI Vulnerabilities\n\n|**Potential Vulnerabilities**\t|**Severity**\t|**Comments**\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and data classification.\t|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-ananoymize users\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and data classification.\t|\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Bitflipping, Bitsquatting\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"Amazon rewards for each unique vulnerability defined by single fixes. If there are multiple submissions that impact multiple endpoints but these share a single fix, the first report would be accepted and the following would be considered duplicates.\"}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":\"Amazon provides a 25% bypass/incomplete fix bonus on any finding that has been closed for \\u003c6 months.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-06T19:59:15.048Z"},{"id":3744643,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951    \n\n**GenAI Details and Assessment Considerations for the above**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String\n    * Utterance information (for voice based GenAI)\n    * Security Impact\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over. **Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n* Any cache poisoning related testing should be done by adding cache buster parameters to avoid any direct customer impact. \n   * For example, https://domain.com/endpoint?cb=test , in this case `cb` is added as a cache buster to prevent any customer impact.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n## LLM/GenAI Vulnerabilities\n\n|**Potential Vulnerabilities**\t|**Severity**\t|**Comments**\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and data classification.\t|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-ananoymize users\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and data classification.\t|\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"Amazon rewards for each unique vulnerability defined by single fixes. If there are multiple submissions that impact multiple endpoints but these share a single fix, the first report would be accepted and the following would be considered duplicates.\"}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":\"Amazon provides a 25% bypass/incomplete fix bonus on any finding that has been closed for \\u003c6 months.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-15T17:15:34.158Z"},{"id":3744016,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951    \n\n**GenAI Details and Assessment Considerations for the above**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String\n    * Utterance information (for voice based GenAI)\n    * Security Impact\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over. **Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n* Any application level DoS testing should be done by adding cache buster parameters to avoid any direct customer impact. \n   * For example, https://domain.com/endpoint?cb=test , in this case `cb` is added as a cache buster to prevent any customer impact.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n## LLM/GenAI Vulnerabilities\n\n|**Potential Vulnerabilities**\t|**Severity**\t|**Comments**\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and data classification.\t|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-ananoymize users\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and data classification.\t|\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"Amazon rewards for each unique vulnerability defined by single fixes. If there are multiple submissions that impact multiple endpoints but these share a single fix, the first report would be accepted and the following would be considered duplicates.\"}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":\"Amazon provides a 25% bypass/incomplete fix bonus on any finding that has been closed for \\u003c6 months.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-08T00:25:14.520Z"},{"id":3743235,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951    \n\n**GenAI Details and Assessment Considerations for the above**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String\n    * Utterance information (for voice based GenAI)\n    * Security Impact\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over. **Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n* Any application level DoS testing should be done by adding cache buster parameters to avoid any direct customer impact. \n   * For example, https://domain.com/endpoint?cb=test , in this case `cb` is added as a cache buster to prevent any customer impact.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n## LLM/GenAI Vulnerabilities\n\n|**Potential Vulnerabilities**\t|**Severity**\t|**Comments**\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and data classification.\t|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-ananoymize users\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and data classification.\t|\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DDOS\n* Non-Application Logic DOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"Amazon rewards for each unique vulnerability defined by single fixes. If there are multiple submissions that impact multiple endpoints but these share a single fix, the first report would be accepted and the following would be considered duplicates.\"}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":\"Amazon provides a 25% bypass/incomplete fix bonus on any finding that has been closed for \\u003c6 months.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-29T22:47:03.139Z"},{"id":3741225,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951    \n\n**GenAI Details and Assessment Considerations for the above**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String\n    * Utterance information (for voice based GenAI)\n    * Security Impact\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over. **Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n## LLM/GenAI Vulnerabilities\n\n|**Potential Vulnerabilities**\t|**Severity**\t|**Comments**\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and data classification.\t|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-ananoymize users\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and data classification.\t|\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DDOS\n* Non-Application Logic DOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"Amazon rewards for each unique vulnerability defined by single fixes. If there are multiple submissions that impact multiple endpoints but these share a single fix, the first report would be accepted and the following would be considered duplicates.\"}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":\"Amazon provides a 25% bypass/incomplete fix bonus on any finding that has been closed for \\u003c6 months.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-04T19:39:58.924Z"},{"id":3738758,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951    \n\n**GenAI Details and Assessment Considerations for the above**\n\n* For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n    * Timestamp\n    * IP\n    * Consumed Content | Prompt String\n    * Utterance information (for voice based GenAI)\n    * Security Impact\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over. **Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n## LLM/GenAI Vulnerabilities\n\n|**Potential Vulnerabilities**\t|**Severity**\t|**Comments**\t|\n|---\t|---\t|---\t|\n|Unauthorized access/disclosure of PII/PHI data\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Cross customer sensitive data access\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Unauthorized system or environment changes\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Model Theft and LLM training data poisoning\t|High-Critical\t|Depending on the overall impact and application context.\t|\n|Advarsaries can retrieve personal customer data without consent\t|High-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Information Disclosure\t|Low-Critical\t|Severity will be dependent on the context and data classification.\t|\n|Prompt Injection\t|Medium - Critical\t|Severity will be dependent on the context and data classification.\t|\n|Insecure Output Handling\t|Medium-Critical\t|Impact will depend on resulting potential vulnerabilities like HTML injection,XSS,SSRF, RCE etc.\t|\n|Insecure plugins impacting models\t|Medium-High\t|Depending on the impact like content injection, code execution, differential error responses, system data exfiltration,\t|\n|Excessive functionality, permissions and autonomy\t|Low-High\t|Depending on the actions allowed by excessive agency issues\t|\n|Response manipulation providing guidance to customers\t|Medium-High\t|Severity will be dependent on the context and the guidance.\t|\n|Adversaries can perform unauthorized actions on behalf of users\t|Medium-Critical\t|Depending on the impact, ease and issue radius.\t|\n|LLM vulnerable to solicitation and social engineering\t|Medium-High\t|Depending on the overall impact and application context.\t|\n|In context data could be used to de-ananoymize users\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Absent customer API or data opt out mechanisms\t|Medium\t|Severity will be dependent on the context and data classification.\t|\n|Command Injection\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|API Auth Bypass\t|High-Critical\t|Depending on the impact, ease and issue radius.\t|\n|Runtime Information Disclosure\t|Low-Medium\t|Severity will be dependent on the context and data classification.\t|\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DDOS\n* Non-Application Logic DOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES","CHAINED_VULNERABILITIES"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-12T18:30:49.837Z"},{"id":3737369,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951\n\n* Any GenAI implementation located on the above\n    * For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n        * Timestamp\n        * IP\n        * Consumed Content | Indirect Prompt Injection String or Other Content\n        * Utterance information (for voice based GenAI)\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over. **Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n##LLM/GenAI Vulnerabilities\n\n| Severity Ranges | Vulnerability | Example |\n| --------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |\n| Critical - High | | |\n| | Cross-account authorization issue | Access to personal data belonging to another account |\n| | Remote code execution | Serialization issue that enables arbitrary class invocation |\n| | Indirect prompt injection unauthorized action | Malicious content executes an unauthorized action |\n| | Indirect cross-turn prompt injection | Malicious content influences LLM actions across sessions |\n| | Indirect prompt injection - PII data | Malicious content exports user data in the prompt to external location |\n| | Multi-model attacks | e.g Content rendered on screen/UI exploits or web issues (e.g. XSS) |\n| Medium - Low | | |\n| | Missing security disengagement for regex | Using [EOM] metatoken does not disengage |\n| | Prompt leak | The application returns key parts of the prompt (action list or system prompt) |\n| | Verbose errors | The application details a stack trace |\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DDOS\n* Non-Application Logic DOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES","CHAINED_VULNERABILITIES"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-29T19:11:33.813Z"},{"id":3733349,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951\n\n* Any GenAI implementation located on the above\n    * For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n        * Timestamp\n        * IP\n        * Consumed Content | Indirect Prompt Injection String or Other Content\n        * Utterance information (for voice based GenAI)\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n* This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over. **Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n##LLM/GenAI Vulnerabilities\n\n| Severity Ranges | Vulnerability | Example |\n| --------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |\n| Critical - High | | |\n| | Cross-account authorization issue | Access to personal data belonging to another account |\n| | Remote code execution | Serialization issue that enables arbitrary class invocation |\n| | Indirect prompt injection unauthorized action | Malicious content executes an unauthorized action |\n| | Indirect cross-turn prompt injection | Malicious content influences LLM actions across sessions |\n| | Indirect prompt injection - PII data | Malicious content exports user data in the prompt to external location |\n| | Multi-model attacks | e.g Content rendered on screen/UI exploits or web issues (e.g. XSS) |\n| Medium - Low | | |\n| | Missing security disengagement for regex | Using [EOM] metatoken does not disengage |\n| | Prompt leak | The application returns key parts of the prompt (action list or system prompt) |\n| | Verbose errors | The application details a stack trace |\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DDOS\n* Non-Application Logic DOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES","CHAINED_VULNERABILITIES"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-23T00:31:44.846Z"},{"id":3733191,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951\n\n* Any GenAI implementation located on the above\n    * For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n        * Timestamp\n        * IP\n        * Consumed Content | Indirect Prompt Injection String or Other Content\n        * Utterance information (for voice based GenAI)\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n* This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over. **Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n##LLM/GenAI Vulnerabilities\n\n| Severity Ranges | Vulnerability | Example |\n| --------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |\n| Critical - High | | |\n| | Cross-account authorization issue | Access to personal data belonging to another account |\n| | Remote code execution | Serialization issue that enables arbitrary class invocation |\n| | Indirect prompt injection unauthorized action | Malicious content executes an unauthorized action |\n| | Indirect cross-turn prompt injection | Malicious content influences LLM actions across sessions |\n| | Indirect prompt injection - PII data | Malicious content exports user data in the prompt to external location |\n| | Multi-model attacks | e.g Content rendered on screen/UI exploits or web issues (e.g. XSS) |\n| Medium - Low | | |\n| | Missing security disengagement for regex | Using [EOM] metatoken does not disengage |\n| | Prompt leak | The application returns key parts of the prompt (action list or system prompt) |\n| | Verbose errors | The application details a stack trace |\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DDOS\n* Non-Application Logic DOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES","IDOR","CHAINED_VULNERABILITIES"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-22T16:58:22.674Z"},{"id":3732761,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951\n\n* Any GenAI implementation located on the above\n    * For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n        * Timestamp\n        * IP\n        * Consumed Content | Indirect Prompt Injection String or Other Content\n        * Utterance information (for voice based GenAI)\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n* This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over. **Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n##LLM/GenAI Vulnerabilities\n\n| Severity Ranges | Vulnerability | Example |\n| --------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |\n| Critical - High | | |\n| | Cross-account authorization issue | Access to personal data belonging to another account |\n| | Remote code execution | Serialization issue that enables arbitrary class invocation |\n| | Indirect prompt injection unauthorized action | Malicious content executes an unauthorized action |\n| | Indirect cross-turn prompt injection | Malicious content influences LLM actions across sessions |\n| | Indirect prompt injection - PII data | Malicious content exports user data in the prompt to external location |\n| | Multi-model attacks | e.g Content rendered on screen/UI exploits or web issues (e.g. XSS) |\n| Medium - Low | | |\n| | Missing security disengagement for regex | Using [EOM] metatoken does not disengage |\n| | Prompt leak | The application returns key parts of the prompt (action list or system prompt) |\n| | Verbose errors | The application details a stack trace |\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DDOS\n* Non-Application Logic DOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-17T20:38:28.209Z"},{"id":3732073,"new_policy":"==**At 10:00 UTC July 15th, HackerOne is updating to a new policy format that will provide better clarity and structure. This functionality makes it clear how Amazon's program behaves. Note that when this functionality goes live, the settings will not immediately reflect the true status of things. Until UTC 00:00 July 19th, please follow the policy as it's written and not the newly created modals. Thank you.**==\n\n#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951\n\n* Any GenAI implementation located on the above\n    * For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n        * Timestamp\n        * IP\n        * Consumed Content | Indirect Prompt Injection String or Other Content\n        * Utterance information (for voice based GenAI)\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n* This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over. **Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n##LLM/GenAI Vulnerabilities\n\n| Severity Ranges | Vulnerability | Example |\n| --------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |\n| Critical - High | | |\n| | Cross-account authorization issue | Access to personal data belonging to another account |\n| | Remote code execution | Serialization issue that enables arbitrary class invocation |\n| | Indirect prompt injection unauthorized action | Malicious content executes an unauthorized action |\n| | Indirect cross-turn prompt injection | Malicious content influences LLM actions across sessions |\n| | Indirect prompt injection - PII data | Malicious content exports user data in the prompt to external location |\n| | Multi-model attacks | e.g Content rendered on screen/UI exploits or web issues (e.g. XSS) |\n| Medium - Low | | |\n| | Missing security disengagement for regex | Using [EOM] metatoken does not disengage |\n| | Prompt leak | The application returns key parts of the prompt (action list or system prompt) |\n| | Verbose errors | The application details a stack trace |\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DDOS\n* Non-Application Logic DOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-11T23:02:26.036Z"},{"id":3731878,"new_policy":"==**At 10:00 UTC July 10th, HackerOne is updating to a new policy format that will provide better clarity and structure. This functionality makes it clear how Amazon's program behaves. Note that when this functionality goes live, the settings will not immediately reflect the true status of things. Until UTC 00:00 July 13th, please follow the policy as it's written and not the newly created modals. Thank you.**==\n\n#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951\n\n* Any GenAI implementation located on the above\n    * For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n        * Timestamp\n        * IP\n        * Consumed Content | Indirect Prompt Injection String or Other Content\n        * Utterance information (for voice based GenAI)\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n* This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over. **Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n##LLM/GenAI Vulnerabilities\n\n| Severity Ranges | Vulnerability | Example |\n| --------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |\n| Critical - High | | |\n| | Cross-account authorization issue | Access to personal data belonging to another account |\n| | Remote code execution | Serialization issue that enables arbitrary class invocation |\n| | Indirect prompt injection unauthorized action | Malicious content executes an unauthorized action |\n| | Indirect cross-turn prompt injection | Malicious content influences LLM actions across sessions |\n| | Indirect prompt injection - PII data | Malicious content exports user data in the prompt to external location |\n| | Multi-model attacks | e.g Content rendered on screen/UI exploits or web issues (e.g. XSS) |\n| Medium - Low | | |\n| | Missing security disengagement for regex | Using [EOM] metatoken does not disengage |\n| | Prompt leak | The application returns key parts of the prompt (action list or system prompt) |\n| | Verbose errors | The application details a stack trace |\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DDOS\n* Non-Application Logic DOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-10T00:30:07.899Z"},{"id":3723594,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is VRP? \n\nVRP is an initiative driven and managed by Amazon's Stores Security Bug Bounty Team.\n\n# Who Can Participate in VRP?\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP\n\nAmazon employees and contractors, as well as their immediate family members (e.g., parent, sibling, spouse, child) are strictly prohibited from participating in VRP. Amazon employees and contractors may not share information with an external security researcher to bypass this prohibition or otherwise enable another person to participate in VRP (in which case all parties are ineligible). Residents of any countries/regions that are subject to United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, and any person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List are strictly prohibited from participating in VRP. \n\nYou must be 18 or older to be eligible for an award.\n\n#How VRP Works\n* Security researchers and Amazon customers are encouraged to report any behavior impacting the information security posture of Amazon products and services.\n* Document your findings thoroughly, providing steps to reproduce, and send your report to us.\n   * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.\n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. \n* We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who regularly submit high quality findings may be added to the **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check the Scope section for complete details on latest in-scope assets)\n\n\nAll retail marketplaces are Wildcard scoped (*.amazon)\n\n| Domain |\n|---|\n| amazon.com (United States) |\n| amazon.co.uk (UK) |\n| amazon.in (India) |\n| amazon.de (Germany) |\n| amazon.fr (France) |\n| amazon.co.jp (Japan) |\n| amazon.ca (Canada) |\n| amazon.cn (China) |\n| amazon.it (Italy) |\n| amazon.es (Spain) |\n| amazon.nl (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg (Singapore) |\n| amazon.se (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl (Poland) |\n| amazon.com.au (Australia) |\n| amazon.com.tr (Turkey) |\n| amazon.com.br (Brazil) |\n| amazon.com.mx (Mexico) |\n| amazon.com.be (Belgium) |\n| amazon.co.za (South Africa) |\n| amazon.com.ng (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951\n\n* Any GenAI implementation located on the above\n    * For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n        * Timestamp\n        * IP\n        * Consumed Content | Indirect Prompt Injection String or Other Content\n        * Utterance information (for voice based GenAI)\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which has these types of text in URLs - test, qa, integ, preprod, gamma, beta, user-aliases, regions (us-east, us-west)\n- AWS and AWS customer assets \n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for VRP. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for VRP and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of VRP. If you become aware of an out-of-scope vulnerability, you may report the security finding for our review. If you are not able to demonstrate an impact on bounty-eligible assets, then that finding may not be eligible for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Comply with all provisions of this policy at all times, including those regarding who can participate in VRP.\n* Test only in-scope services and products, and only test for eligible vulnerabilities. Do not test out-of-scope assets, and do not test for ineligible vulnerabilities or other out-of-scope issues.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted.\n   * Do the minimum amount of testing necessary to identify and validate the finding. Do not perform additional testing after you have confirmed that a vulnerability exists.\n   * For any given finding, perform the necessary actions to demonstrate impact. Once the impact has been demonstrated and reported, do not attempt to reproduce the finding again unless requested by the VRP team. Amazon will work to identify the full severity of an issue on the merits of the content itself.\n      * Valid Example: A XSS issue that can be escalated with a separate CSRF issue. \n      * Invalid Example: Testing many individual instances of a single issue for the purposes of illustrating severity.\n      * Invalid Example: Finding disclosed credentials and using them to pivot.\n*  If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* If the vulnerability or your testing causes a readily visible issue that could alert the public to the vulnerability or your testing, immediately report the issue to us, even if your report is incomplete.\n* Do not attempt to perform any attack that that could hinder Amazon in serving customers or carrying out other business functions, including brute-force attacks or denial-of-service attacks.\n* Use only your own accounts while testing. Do not compromise or test Amazon accounts that are not your own.\n   * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n   * You are not authorized to access, use, or otherwise interact with other people’s accounts or data.\n* Do not attempt to target Amazon personnel or customers, including by social engineering attacks, phishing attacks or physical attacks.\n* Do not perform any testing against assets that directly involve Amazon personnel in communication.\n* This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility.\n* Do not do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n\n#Rules of Engagement (Testing) \n\n* Use the User-Agent string `amazonvrpresearcher_yourh1username` while testing.\n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.\n   * Use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* When testing, do not attempt to execute instructions that may directly or visibly alert other people to your activity or that may access, modify, or delete other people’s accounts or data.\n* Create Amazon accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using `yourh1username@wearehackerone.com`.\n* While testing, forward the string `amazonvrpresearcher¬¬_yourh1username` anywhere in your User-Agent header. You can create a match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$`\n**Replace:** `User-Agent: amazonvrpresearcheryourh1username`\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over. **Not using a version hosted yourself, will result in complete forfeiture of any reward.**\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n* When testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n\n#Other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. \n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" and lawful under the U.S. Computer Fraud and Abuse Act (CFAA), U.S. Digital Millennium Copyright Act (DMCA), and similar laws in the United States and other jurisdictions. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n* If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee that those third parties won’t pursue legal action against you. Amazon is not responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery.\n* Be prepared with a recent card statement available to prove ownership.\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. You also agree not to attempt to threaten or extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Severity Examples\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request Smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\nPlease note, this is not meant to be an exhaustive list, but a general guideline for what severity these issues are given.\n\n\n##LLM/GenAI Vulnerabilities\n\n| Severity Ranges | Vulnerability | Example |\n| --------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |\n| Critical - High | | |\n| | Cross-account authorization issue | Access to personal data belonging to another account |\n| | Remote code execution | Serialization issue that enables arbitrary class invocation |\n| | Indirect prompt injection unauthorized action | Malicious content executes an unauthorized action |\n| | Indirect cross-turn prompt injection | Malicious content influences LLM actions across sessions |\n| | Indirect prompt injection - PII data | Malicious content exports user data in the prompt to external location |\n| | Multi-model attacks | e.g Content rendered on screen/UI exploits or web issues (e.g. XSS) |\n| Medium - Low | | |\n| | Missing security disengagement for regex | Using [EOM] metatoken does not disengage |\n| | Prompt leak | The application returns key parts of the prompt (action list or system prompt) |\n| | Verbose errors | The application details a stack trace |\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope items or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Discovering and testing against AWS customer assets\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DDOS\n* Non-Application Logic DOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* Auth User Enumeration\n* Password Complexity\n* HTTP Trace Method\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-16T16:53:17.174Z"},{"id":3722111,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is Amazon's VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n#Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n#How Amazon's VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\nAll retail marketplaces are Wildcard scoped (*.amazon) except for .com\n\n| Domain |\n|---|\n| amazon.co.uk  (UK) |\n| amazon.in  (India) |\n| amazon.de  (Germany) |\n| amazon.fr  (France) |\n| amazon.co.jp  (Japan) |\n| amazon.ca  (Canada) |\n| amazon.cn  (China) |\n| amazon.it  (Italy) |\n| amazon.es  (Spain) |\n| amazon.nl  (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg  (Singapore) |\n| amazon.se  (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl  (Poland) |\n| amazon.com.au  (Australia) |\n| amazon.com.tr  (Turkey) |\n| amazon.com.br  (Brazil) |\n| amazon.com.mx  (Mexico) |\n| amazon.com.be  (Belgium) |\n| amazon.co.za  (South Africa) |\n| amazon.com.ng  (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951\n\n* Any GenAI implementation located on the above\n    * For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n        * Timestamp\n        * IP\n        * Consumed Content | Indirect Prompt Injection String or Other Content\n        * Utterance information (for voice based GenAI)\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which is non-prod asset e.g. - test, qa, integ, preprod, gamma, beta, user-aliases, regions\n- AWS and AWS customer assets are strictly out of scope\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Amazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon in serving Customers\n* Do not compromise or test Amazon accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n#Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\n\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n•\tWhen testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n\n#For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n#Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username anywhere in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Eligible Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##LLM/GenAI Vulnerabilities\n\n| Severity Ranges | Vulnerability | Example |\n| --------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |\n| Critical - High | | |\n| | Cross-account authorization issue | Access to personal data belonging to another account |\n| | Remote code execution | Serialization issue that enables arbitrary class invocation |\n| | Indirect prompt injection unauthorized action | Malicious content executes an unauthorized action |\n| | Indirect cross-turn prompt injection | Malicious content influences LLM actions across sessions |\n| | Indirect prompt injection - PII data | Malicious content exports user data in the prompt to external location |\n| | Multi-model attacks | e.g Content rendered on screen/UI exploits or web issues (e.g. XSS) |\n| Medium - Low | | |\n| | Missing security disengagement for regex | Using [EOM] metatoken does not disengage |\n| | Prompt leak | The application returns key parts of the prompt (action list or system prompt) |\n| | Verbose errors | The application details a stack trace |\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-29T23:01:52.552Z"},{"id":3713564,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is Amazon's VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n#Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n#How Amazon's VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\nAll retail marketplaces are Wildcard scoped (*.amazon) except for .com\n\n| Domain |\n|---|\n| amazon.co.uk  (UK) |\n| amazon.in  (India) |\n| amazon.de  (Germany) |\n| amazon.fr  (France) |\n| amazon.co.jp  (Japan) |\n| amazon.ca  (Canada) |\n| amazon.cn  (China) |\n| amazon.it  (Italy) |\n| amazon.es  (Spain) |\n| amazon.nl  (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg  (Singapore) |\n| amazon.se  (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl  (Poland) |\n| amazon.com.au  (Australia) |\n| amazon.com.tr  (Turkey) |\n| amazon.com.br  (Brazil) |\n| amazon.com.mx  (Mexico) |\n| amazon.com.be  (Belgium) |\n| amazon.co.za  (South Africa) |\n| amazon.com.ng  (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951\n\n* Any GenAI implementation located on the above\n    * For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n        * Timestamp\n        * IP\n        * Consumed Content | Indirect Prompt Injection String or Other Content\n        * Utterance information (for voice based GenAI)\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which is non-prod asset e.g. - test, qa, integ, preprod, gamma, beta, user-aliases, regions\n- AWS and AWS customer assets are strictly out of scope\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Amazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon in serving Customers\n* Do not compromise or test Amazon accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n#Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `amazonkitresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `amazonkitresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\n\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n•\tWhen testing a subdomain takeover, do not publish anything on the index page or otherwise attempt to demonstrate the overall impact of the vulnerability. Instead, serve an HTML file on a hidden path containing your HackerOne username in an HTML comment.\n\n#For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n#Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username anywhere in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Eligible Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##LLM/GenAI Vulnerabilities\n\n| Severity Ranges | Vulnerability | Example |\n| --------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |\n| Critical - High | | |\n| | Cross-account authorization issue | Access to personal data belonging to another account |\n| | Remote code execution | Serialization issue that enables arbitrary class invocation |\n| | Indirect prompt injection unauthorized action | Malicious content executes an unauthorized action |\n| | Indirect cross-turn prompt injection | Malicious content influences LLM actions across sessions |\n| | Indirect prompt injection - PII data | Malicious content exports user data in the prompt to external location |\n| | Multi-model attacks | e.g Content rendered on screen/UI exploits or web issues (e.g. XSS) |\n| Medium - Low | | |\n| | Missing security disengagement for regex | Using [EOM] metatoken does not disengage |\n| | Prompt leak | The application returns key parts of the prompt (action list or system prompt) |\n| | Verbose errors | The application details a stack trace |\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-04T05:52:09.987Z"},{"id":3713450,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is Amazon's VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n#Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n#How Amazon's VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\nAll retail marketplaces are Wildcard scoped (*.amazon) except for .com\n\n| Domain |\n|---|\n| amazon.co.uk  (UK) |\n| amazon.in  (India) |\n| amazon.de  (Germany) |\n| amazon.fr  (France) |\n| amazon.co.jp  (Japan) |\n| amazon.ca  (Canada) |\n| amazon.cn  (China) |\n| amazon.it  (Italy) |\n| amazon.es  (Spain) |\n| amazon.nl  (Netherlands) |\n| amazon.ae (United Arab Emirates) |\n| amazon.sg  (Singapore) |\n| amazon.se  (Sweden) |\n| amazon.sa (Saudi Arabia) |\n| amazon.eg (Egypt) |\n| amazon.pl  (Poland) |\n| amazon.com.au  (Australia) |\n| amazon.com.tr  (Turkey) |\n| amazon.com.br  (Brazil) |\n| amazon.com.mx  (Mexico) |\n| amazon.com.be  (Belgium) |\n| amazon.co.za  (South Africa) |\n| amazon.com.ng  (Nigeria) |\n| amazon.com.co (Colombia) |\n| amazon.cl (Chile) |\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951\n\n* Any GenAI implementation located on the above\n    * For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n        * Timestamp\n        * IP\n        * Consumed Content | Indirect Prompt Injection String or Other Content\n        * Utterance information (for voice based GenAI)\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which is non-prod asset e.g. - test, qa, integ, preprod, gamma, beta, user-aliases, regions\n- AWS and AWS customer assets are strictly out of scope\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Amazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon in serving Customers\n* Do not compromise or test Amazon accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n#Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `amazonkitresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `amazonkitresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\n\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n\n#For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n#Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username anywhere in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Eligible Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##LLM/GenAI Vulnerabilities\n\n| Severity Ranges | Vulnerability | Example |\n| --------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |\n| Critical - High | | |\n| | Cross-account authorization issue | Access to personal data belonging to another account |\n| | Remote code execution | Serialization issue that enables arbitrary class invocation |\n| | Indirect prompt injection unauthorized action | Malicious content executes an unauthorized action |\n| | Indirect cross-turn prompt injection | Malicious content influences LLM actions across sessions |\n| | Indirect prompt injection - PII data | Malicious content exports user data in the prompt to external location |\n| | Multi-model attacks | e.g Content rendered on screen/UI exploits or web issues (e.g. XSS) |\n| Medium - Low | | |\n| | Missing security disengagement for regex | Using [EOM] metatoken does not disengage |\n| | Prompt leak | The application returns key parts of the prompt (action list or system prompt) |\n| | Verbose errors | The application details a stack trace |\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-29T19:27:46.026Z"},{"id":3712737,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is Amazon's VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n#Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n#How Amazon's VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces base `www` domain unless otherwise specified in the scope list\n* Brazil: www.amazon.com.br\n* Canada: www.amazon.ca\n* Mexico: www.amazon.com.mx\n* United States: www.amazon.com\n* China: www.amazon.cn\n* India: www.amazon.in\n* Japan: www.amazon.co.jp\n* Singapore: www.amazon.sg\n* Turkey: www.amazon.com.tr\n* United Arab Emirates: www.amazon.ae\n* France: www.amazon.fr\n* Germany: www.amazon.de\n* Italy: www.amazon.it\n* Netherlands: www.amazon.nl\n* Spain: www.amazon.es\n* Sweden: www.amazon.se\n* United Kingdom: www.amazon.co.uk\n* Australia: www.amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951\n\n* Any GenAI implementation located on the above\n    * For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n        * Timestamp\n        * IP\n        * Consumed Content | Indirect Prompt Injection String or Other Content\n        * Utterance information (for voice based GenAI)\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which is non-prod asset e.g. - test, qa, integ, preprod, gamma, beta, user-aliases, regions\n- AWS and AWS customer assets are strictly out of scope\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Amazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon in serving Customers\n* Do not compromise or test Amazon accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n#Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `amazonkitresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `amazonkitresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\n\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n* Shodan SSL Cert display, and \"General Information\" may say `Amazon` but is actually an Amazon Customer using AWS. This cannot be used as evidence to determine if something is owned by Amazon, and should not be used as a launch point for recon.\n\n#For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n#Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username anywhere in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Eligible Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##LLM/GenAI Vulnerabilities\n\n| Severity Ranges | Vulnerability | Example |\n| --------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |\n| Critical - High | | |\n| | Cross-account authorization issue | Access to personal data belonging to another account |\n| | Remote code execution | Serialization issue that enables arbitrary class invocation |\n| | Indirect prompt injection unauthorized action | Malicious content executes an unauthorized action |\n| | Indirect cross-turn prompt injection | Malicious content influences LLM actions across sessions |\n| | Indirect prompt injection - PII data | Malicious content exports user data in the prompt to external location |\n| | Multi-model attacks | e.g Content rendered on screen/UI exploits or web issues (e.g. XSS) |\n| Medium - Low | | |\n| | Missing security disengagement for regex | Using [EOM] metatoken does not disengage |\n| | Prompt leak | The application returns key parts of the prompt (action list or system prompt) |\n| | Verbose errors | The application details a stack trace |\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-15T18:48:19.189Z"},{"id":3712732,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is Amazon's VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n#Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n#How Amazon's VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces base `www` domain unless otherwise specified in the scope list\n* Brazil: www.amazon.com.br\n* Canada: www.amazon.ca\n* Mexico: www.amazon.com.mx\n* United States: www.amazon.com\n* China: www.amazon.cn\n* India: www.amazon.in\n* Japan: www.amazon.co.jp\n* Singapore: www.amazon.sg\n* Turkey: www.amazon.com.tr\n* United Arab Emirates: www.amazon.ae\n* France: www.amazon.fr\n* Germany: www.amazon.de\n* Italy: www.amazon.it\n* Netherlands: www.amazon.nl\n* Spain: www.amazon.es\n* Sweden: www.amazon.se\n* United Kingdom: www.amazon.co.uk\n* Australia: www.amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951\n\n* Any GenAI implementation located on the above\n    * For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n        * Timestamp\n        * IP\n        * Consumed Content | Indirect Prompt Injection String or Other Content\n        * Utterance information (for voice based GenAI)\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n##Always out of scope and not reward eligible\n\n- Anything which contains aws in the subdomain\n- Anything which is .a2z.\n- Anything which ends with *.dev\n- Anything which redirects to AWS\n- Anything which is non-prod asset e.g. - test, qa, integ, preprod, gamma, beta, user-aliases, regions\n- AWS and AWS customer assets are strictly out of scope\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Amazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon in serving Customers\n* Do not compromise or test Amazon accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n#Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `amazonkitresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `amazonkitresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\n\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n#For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n#Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username anywhere in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Eligible Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##LLM/GenAI Vulnerabilities\n\n| Severity Ranges | Vulnerability | Example |\n| --------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |\n| Critical - High | | |\n| | Cross-account authorization issue | Access to personal data belonging to another account |\n| | Remote code execution | Serialization issue that enables arbitrary class invocation |\n| | Indirect prompt injection unauthorized action | Malicious content executes an unauthorized action |\n| | Indirect cross-turn prompt injection | Malicious content influences LLM actions across sessions |\n| | Indirect prompt injection - PII data | Malicious content exports user data in the prompt to external location |\n| | Multi-model attacks | e.g Content rendered on screen/UI exploits or web issues (e.g. XSS) |\n| Medium - Low | | |\n| | Missing security disengagement for regex | Using [EOM] metatoken does not disengage |\n| | Prompt leak | The application returns key parts of the prompt (action list or system prompt) |\n| | Verbose errors | The application details a stack trace |\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-15T16:47:42.946Z"},{"id":3712731,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is Amazon's VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n#Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n#How Amazon's VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces base `www` domain unless otherwise specified in the scope list\n* Brazil: www.amazon.com.br\n* Canada: www.amazon.ca\n* Mexico: www.amazon.com.mx\n* United States: www.amazon.com\n* China: www.amazon.cn\n* India: www.amazon.in\n* Japan: www.amazon.co.jp\n* Singapore: www.amazon.sg\n* Turkey: www.amazon.com.tr\n* United Arab Emirates: www.amazon.ae\n* France: www.amazon.fr\n* Germany: www.amazon.de\n* Italy: www.amazon.it\n* Netherlands: www.amazon.nl\n* Spain: www.amazon.es\n* Sweden: www.amazon.se\n* United Kingdom: www.amazon.co.uk\n* Australia: www.amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951\n\n* Any GenAI implementation located on the above\n    * For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n        * Timestamp\n        * IP\n        * Consumed Content | Indirect Prompt Injection String or Other Content\n        * Utterance information (for voice based GenAI)\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Amazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon in serving Customers\n* Do not compromise or test Amazon accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n#Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `amazonkitresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `amazonkitresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\n\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n#For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n#Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username anywhere in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Eligible Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##LLM/GenAI Vulnerabilities\n\n| Severity Ranges | Vulnerability | Example |\n| --------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |\n| Critical - High | | |\n| | Cross-account authorization issue | Access to personal data belonging to another account |\n| | Remote code execution | Serialization issue that enables arbitrary class invocation |\n| | Indirect prompt injection unauthorized action | Malicious content executes an unauthorized action |\n| | Indirect cross-turn prompt injection | Malicious content influences LLM actions across sessions |\n| | Indirect prompt injection - PII data | Malicious content exports user data in the prompt to external location |\n| | Multi-model attacks | e.g Content rendered on screen/UI exploits or web issues (e.g. XSS) |\n| Medium - Low | | |\n| | Missing security disengagement for regex | Using [EOM] metatoken does not disengage |\n| | Prompt leak | The application returns key parts of the prompt (action list or system prompt) |\n| | Verbose errors | The application details a stack trace |\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover  for out of scope or not listed scope. Subdomain Takeovers on  Wildcard domains are **In-Scope**      |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-15T16:44:49.196Z"},{"id":3711338,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n#Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n#What is Amazon's VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n#Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to Amazon's VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n#How Amazon's VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n#Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces base `www` domain unless otherwise specified in the scope list\n* Brazil: www.amazon.com.br\n* Canada: www.amazon.ca\n* Mexico: www.amazon.com.mx\n* United States: www.amazon.com\n* China: www.amazon.cn\n* India: www.amazon.in\n* Japan: www.amazon.co.jp\n* Singapore: www.amazon.sg\n* Turkey: www.amazon.com.tr\n* United Arab Emirates: www.amazon.ae\n* France: www.amazon.fr\n* Germany: www.amazon.de\n* Italy: www.amazon.it\n* Netherlands: www.amazon.nl\n* Spain: www.amazon.es\n* Sweden: www.amazon.se\n* United Kingdom: www.amazon.co.uk\n* Australia: www.amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n    * Android: com.amazon.mShop.android.shopping \n    * iOS: amazon-shopping-297606951\n\n* Any GenAI implementation located on the above\n    * For any GenAI submissions please include as much of the following information as you can for your report to be considered. Some won’t be applicable due to context:\n        * Timestamp\n        * IP\n        * Consumed Content | Indirect Prompt Injection String or Other Content\n        * Utterance information (for voice based GenAI)\n    * Direct Prompt Injection or issues with model prompts where security impact is presumed may not be accepted unless Amazon determines validity.\n\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program. This link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n#Rules of Engagement (Behavior)\n\n* Amazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon in serving Customers\n* Do not compromise or test Amazon accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated, or Contact Us areas.\n* Do not perform physical attacks again any Amazon facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon’s discretion.**\n\n#Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `amazonkitresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `amazonkitresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\n\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n#For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n#Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username anywhere in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n#Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your HackerOne points, or participation without your permission\n\n\n#If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n\n#Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n#Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n#Eligible Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | High - Critical     |\n| 5 | Server-Side Request Forgery\t| Medium - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - High       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##LLM/GenAI Vulnerabilities\n\n| Severity Ranges | Vulnerability | Example |\n| --------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |\n| Critical - High | | |\n| | Cross-account authorization issue | Access to personal data belonging to another account |\n| | Remote code execution | Serialization issue that enables arbitrary class invocation |\n| | Indirect prompt injection unauthorized action | Malicious content executes an unauthorized action |\n| | Indirect cross-turn prompt injection | Malicious content influences LLM actions across sessions |\n| | Indirect prompt injection - PII data | Malicious content exports user data in the prompt to external location |\n| | Multi-model attacks | e.g Content rendered on screen/UI exploits or web issues (e.g. XSS) |\n| Medium - Low | | |\n| | Missing security disengagement for regex | Using [EOM] metatoken does not disengage |\n| | Prompt leak | The application returns key parts of the prompt (action list or system prompt) |\n| | Verbose errors | The application details a stack trace |\n\n#Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Model Hallucinations\n* Content moderation issues, solicitation\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-23T18:51:09.668Z"},{"id":3706151,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: www.amazon.com.br\n* Canada: www.amazon.ca\n* Mexico: www.amazon.com.mx\n* United States: www.amazon.com\n* China: www.amazon.cn\n* India: www.amazon.in\n* Japan: www.amazon.co.jp\n* Singapore: www.amazon.sg\n* Turkey: www.amazon.com.tr\n* United Arab Emirates: www.amazon.ae\n* France: www.amazon.fr\n* Germany: www.amazon.de\n* Italy: www.amazon.it\n* Netherlands: www.amazon.nl\n* Spain: www.amazon.es\n* Sweden: www.amazon.se\n* United Kingdom: www.amazon.co.uk\n* Australia: www.amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program., this link is a general guideline and not perfect. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks\n* Do not compromise or test Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n   * This applies even if it appears to be an automated chat system.\n* Do not test `Contact Us` based functionality\n* Do not perform physical attacks against any Amazon facility\n* Do not threaten or try to extort Amazon. Do not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Except as applied to CVE-2021-44228, limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. Use of automated scanners/tools for CVE-2021-44228 testing is prohibited.\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.  \n\n**NOTE:** \n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n##For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - Critical     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-30T18:47:20.804Z"},{"id":3705070,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices).\nFor vulnerabilities related to Ring, please submit reports via [the Ring Bug Bounty page](https://hackerone.com/ring)\nFor vulnerabilities related to eero, please submit reports via [the eero Bug Bounty page](https://hackerone.com/eero)\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: www.amazon.com.br\n* Canada: www.amazon.ca\n* Mexico: www.amazon.com.mx\n* United States: www.amazon.com\n* China: www.amazon.cn\n* India: www.amazon.in\n* Japan: www.amazon.co.jp\n* Singapore: www.amazon.sg\n* Turkey: www.amazon.com.tr\n* United Arab Emirates: www.amazon.ae\n* France: www.amazon.fr\n* Germany: www.amazon.de\n* Italy: www.amazon.it\n* Netherlands: www.amazon.nl\n* Spain: www.amazon.es\n* Sweden: www.amazon.se\n* United Kingdom: www.amazon.co.uk\n* Australia: www.amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks\n* Do not compromise or test Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n   * This applies even if it appears to be an automated chat system.\n* Do not test `Contact Us` based functionality\n* Do not perform physical attacks against any Amazon facility\n* Do not threaten or try to extort Amazon. Do not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Except as applied to CVE-2021-44228, limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. Use of automated scanners/tools for CVE-2021-44228 testing is prohibited.\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.  \n\n**NOTE:** \n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n##For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - Critical     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-12T17:52:01.136Z"},{"id":3683198,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices?type=team).\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: www.amazon.com.br\n* Canada: www.amazon.ca\n* Mexico: www.amazon.com.mx\n* United States: www.amazon.com\n* China: www.amazon.cn\n* India: www.amazon.in\n* Japan: www.amazon.co.jp\n* Singapore: www.amazon.sg\n* Turkey: www.amazon.com.tr\n* United Arab Emirates: www.amazon.ae\n* France: www.amazon.fr\n* Germany: www.amazon.de\n* Italy: www.amazon.it\n* Netherlands: www.amazon.nl\n* Spain: www.amazon.es\n* Sweden: www.amazon.se\n* United Kingdom: www.amazon.co.uk\n* Australia: www.amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks\n* Do not compromise or test Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n   * This applies even if it appears to be an automated chat system.\n* Do not test `Contact Us` based functionality\n* Do not perform physical attacks against any Amazon facility\n* Do not threaten or try to extort Amazon. Do not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Except as applied to CVE-2021-44228, limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. Use of automated scanners/tools for CVE-2021-44228 testing is prohibited.\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.  \n\n**NOTE:** \n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n##For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - Critical     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-08T19:04:25.039Z"},{"id":3678502,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices?type=team).\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: www.amazon.com.br\n* Canada: www.amazon.ca\n* Mexico: www.amazon.com.mx\n* United States: www.amazon.com\n* China: www.amazon.cn\n* India: www.amazon.in\n* Japan: www.amazon.co.jp\n* Singapore: www.amazon.sg\n* Turkey: www.amazon.com.tr\n* United Arab Emirates: www.amazon.ae\n* France: www.amazon.fr\n* Germany: www.amazon.de\n* Italy: www.amazon.it\n* Netherlands: www.amazon.nl\n* Spain: www.amazon.es\n* Sweden: www.amazon.se\n* United Kingdom: www.amazon.co.uk\n* Australia: www.amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks\n* Do not compromise or test Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n   * This applies even if it appears to be an automated chat system.\n* Do not test `Contact Us` based functionality\n* Do not perform physical attacks against any Amazon facility\n* Do not threaten or try to extort Amazon. Do not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Except as applied to CVE-2021-44228, limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. Use of automated scanners/tools for CVE-2021-44228 testing is prohibited.\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - Critical     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-10-12T19:56:18.342Z"},{"id":3677339,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices?type=team).\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: amazon.com.br\n* Canada: amazon.ca\n* Mexico: amazon.com.mx\n* United States: amazon.com\n* China: amazon.cn\n* India: amazon.in\n* Japan: amazon.co.jp\n* Singapore: amazon.sg\n* Turkey: amazon.com.tr\n* United Arab Emirates: amazon.ae\n* France: amazon.fr\n* Germany: amazon.de\n* Italy: amazon.it\n* Netherlands: amazon.nl\n* Spain: amazon.es\n* Sweden: amazon.se\n* United Kingdom: amazon.co.uk\n* Australia: amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks\n* Do not compromise or test Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n   * This applies even if it appears to be an automated chat system.\n* Do not test `Contact Us` based functionality\n* Do not perform physical attacks against any Amazon facility\n* Do not threaten or try to extort Amazon. Do not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Except as applied to CVE-2021-44228, limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. Use of automated scanners/tools for CVE-2021-44228 testing is prohibited.\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - Critical     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-14T23:41:22.022Z"},{"id":3677285,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Devices, please submit reports via [Amazon Vulnerability Research Program - Devices page](https://hackerone.com/amazonvrp-devices?type=team).\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: amazon.com.br\n* Canada: amazon.ca\n* Mexico: amazon.com.mx\n* United States: amazon.com\n* China: amazon.cn\n* India: amazon.in\n* Japan: amazon.co.jp\n* Singapore: amazon.sg\n* Turkey: amazon.com.tr\n* United Arab Emirates: amazon.ae\n* France: amazon.fr\n* Germany: amazon.de\n* Italy: amazon.it\n* Netherlands: amazon.nl\n* Spain: amazon.es\n* Sweden: amazon.se\n* United Kingdom: amazon.co.uk\n* Australia: amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks\n* Do not compromise or test Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n   * This applies even if it appears to be an automated chat system.\n* Do not perform physical attacks against any Amazon facility\n* Do not threaten or try to extort Amazon. Do not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Except as applied to CVE-2021-44228, limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. Use of automated scanners/tools for CVE-2021-44228 testing is prohibited.\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - Critical     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-13T17:40:06.266Z"},{"id":3677157,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: amazon.com.br\n* Canada: amazon.ca\n* Mexico: amazon.com.mx\n* United States: amazon.com\n* China: amazon.cn\n* India: amazon.in\n* Japan: amazon.co.jp\n* Singapore: amazon.sg\n* Turkey: amazon.com.tr\n* United Arab Emirates: amazon.ae\n* France: amazon.fr\n* Germany: amazon.de\n* Italy: amazon.it\n* Netherlands: amazon.nl\n* Spain: amazon.es\n* Sweden: amazon.se\n* United Kingdom: amazon.co.uk\n* Australia: amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks\n* Do not compromise or test Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n   * This applies even if it appears to be an automated chat system.\n* Do not perform physical attacks against any Amazon facility\n* Do not threaten or try to extort Amazon. Do not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Except as applied to CVE-2021-44228, limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. Use of automated scanners/tools for CVE-2021-44228 testing is prohibited.\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - Critical     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-08T18:21:51.506Z"},{"id":3672333,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: amazon.com.br\n* Canada: amazon.ca\n* Mexico: amazon.com.mx\n* United States: amazon.com\n* China: amazon.cn\n* India: amazon.in\n* Japan: amazon.co.jp\n* Singapore: amazon.sg\n* Turkey: amazon.com.tr\n* United Arab Emirates: amazon.ae\n* France: amazon.fr\n* Germany: amazon.de\n* Italy: amazon.it\n* Netherlands: amazon.nl\n* Spain: amazon.es\n* Sweden: amazon.se\n* United Kingdom: amazon.co.uk\n* Australia: amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks\n* Do not compromise or test Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n   * This applies even if it appears to be an automated chat system.\n* Do not perform physical attacks against any Amazon facility\n* Do not threaten or try to extort Amazon. Do not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Except as applied to CVE-2021-44228, limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. Use of automated scanners/tools for CVE-2021-44228 testing is prohibited.\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-06-03T00:32:45.163Z"},{"id":3668698,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: amazon.com.br\n* Canada: amazon.ca\n* Mexico: amazon.com.mx\n* United States: amazon.com\n* China: amazon.cn\n* India: amazon.in\n* Japan: amazon.co.jp\n* Singapore: amazon.sg\n* Turkey: amazon.com.tr\n* United Arab Emirates: amazon.ae\n* France: amazon.fr\n* Germany: amazon.de\n* Italy: amazon.it\n* Netherlands: amazon.nl\n* Spain: amazon.es\n* Sweden: amazon.se\n* United Kingdom: amazon.co.uk\n* Australia: amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\nReports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists Amazon's security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks\n* Do not compromise or test Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks against any Amazon facility\n* Do not threaten or try to extort Amazon. Do not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Except as applied to CVE-2021-44228, limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. Use of automated scanners/tools for CVE-2021-44228 testing is prohibited.\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-30T20:23:18.708Z"},{"id":3666835,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: amazon.com.br\n* Canada: amazon.ca\n* Mexico: amazon.com.mx\n* United States: amazon.com\n* China: amazon.cn\n* India: amazon.in\n* Japan: amazon.co.jp\n* Singapore: amazon.sg\n* Turkey: amazon.com.tr\n* United Arab Emirates: amazon.ae\n* France: amazon.fr\n* Germany: amazon.de\n* Italy: amazon.it\n* Netherlands: amazon.nl\n* Spain: amazon.es\n* Sweden: amazon.se\n* United Kingdom: amazon.co.uk\n* Australia: amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\n Please note that zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) are not eligible for awards unless you identify a zero-day vulnerability on an in-scope system more than 30 days after the zero-day vulnerability was disclosed to the security community. Additionally, we have an internal team dedicated to addressing zero-day vulnerabilities and vulnerabilities that are already known and being tracked by our internal team  at the time of your report will not be eligible for an award.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks\n* Do not compromise or test Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks against any Amazon facility\n* Do not threaten or try to extort Amazon. Do not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Except as applied to CVE-2021-44228, limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. Use of automated scanners/tools for CVE-2021-44228 testing is prohibited.\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-21T23:19:18.926Z"},{"id":3663613,"new_policy":"#Amazon Vulnerability Research Program Event\n\nHello Researchers,\nAmazon is accepting vulnerability reports stemming from the Log4j library (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=log4j) RCE for any asset within our bounty eligible **IN-SCOPE ASSET LIST** (https://hackerone.com/amazonvrp/scope_versions?type=team). As with the exploitation of any RCE, exploitation of Log4j that violates our Rules of Engagement, including attempts to learn additional information about Amazon hosts or find additional vulnerabilities, violates the Legal Safe Harbor terms found below.\n\nRegular terms in the policy below apply, but as a reminder, please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing. Absence of this User-Agent string may result in your account/IP getting blocked by automated protections.\n\n**Rules of Engagement for Log4j Related Vulnerabilities**\nFailure to abide by the below terms will disqualify you from a bounty.\n\n1. **DO NOT** use any RCE payloads, any of the first stage triggers (ex: ${jndi:ldap:://yourhost}, jndi:rmi, jndi:iiop, etc) are fine. You must **NOT** be serving Java classes to hosts as part of this effort.\n2. **DO NOT** exfiltrate keys/sensitive info stored in environment variables, grabbing things like USER, HOSTNAME, JVM settings are acceptable.\n3. Please limit testing to bounty eligible in-scope asset list only. **DO NOT** perform any testing against AWS and AWS customer assets. Security issues discovered in the [AWS IP Space](https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for this program. As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for this program and against the [AWS AUP](https://aws.amazon.com/aup/). \n\n**Rewards \u0026 Expectations**\nUnique, valid, submissions only on bounty eligible in-scope assets will be rewarded a bounty of $15,000.\n\n\u0026nbsp;\n\u0026nbsp;\n\n\n\n-----\n\u0026nbsp;\n\u0026nbsp;\n\n\n#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: amazon.com.br\n* Canada: amazon.ca\n* Mexico: amazon.com.mx\n* United States: amazon.com\n* China: amazon.cn\n* India: amazon.in\n* Japan: amazon.co.jp\n* Singapore: amazon.sg\n* Turkey: amazon.com.tr\n* United Arab Emirates: amazon.ae\n* France: amazon.fr\n* Germany: amazon.de\n* Italy: amazon.it\n* Netherlands: amazon.nl\n* Spain: amazon.es\n* Sweden: amazon.se\n* United Kingdom: amazon.co.uk\n* Australia: amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\n Please note that zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) are not eligible for awards unless you identify a zero-day vulnerability on an in-scope system more than 30 days after the zero-day vulnerability was disclosed to the security community. Additionally, we have an internal team dedicated to addressing zero-day vulnerabilities and vulnerabilities that are already known and being tracked by our internal team  at the time of your report will not be eligible for an award.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks\n* Do not compromise or test Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks against any Amazon facility\n* Do not threaten or try to extort Amazon. Do not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Except as applied to CVE-2021-44228, limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. Use of automated scanners/tools for CVE-2021-44228 testing is prohibited.\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-01-03T21:59:21.825Z"},{"id":3662917,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\nHello Researchers,\nAmazon is aware of CVE-2021-44228, a remote code execution vulnerability in the Log4j library. We are suspending allowable use of automated scanners and tools under this Program Policy for testing CVE-2021-44228. As with the exploitation of any RCE, exploitation of Log4j that violates our Rules of Engagement, including attempts to learn additional information about Amazon hosts or find additional vulnerabilities, violates the Legal Safe Harbor terms found below.\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: amazon.com.br\n* Canada: amazon.ca\n* Mexico: amazon.com.mx\n* United States: amazon.com\n* China: amazon.cn\n* India: amazon.in\n* Japan: amazon.co.jp\n* Singapore: amazon.sg\n* Turkey: amazon.com.tr\n* United Arab Emirates: amazon.ae\n* France: amazon.fr\n* Germany: amazon.de\n* Italy: amazon.it\n* Netherlands: amazon.nl\n* Spain: amazon.es\n* Sweden: amazon.se\n* United Kingdom: amazon.co.uk\n* Australia: amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\n Please note that zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) are not eligible for awards unless you identify a zero-day vulnerability on an in-scope system more than 30 days after the zero-day vulnerability was disclosed to the security community. Additionally, we have an internal team dedicated to addressing zero-day vulnerabilities and vulnerabilities that are already known and being tracked by our internal team  at the time of your report will not be eligible for an award.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks\n* Do not compromise or test Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks against any Amazon facility\n* Do not threaten or try to extort Amazon. Do not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Except as applied to CVE-2021-44228, limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. Use of automated scanners/tools for CVE-2021-44228 testing is prohibited.\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-12T00:29:56.512Z"},{"id":3662914,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\nHello Researchers,\nAs we work to triage and safeguard our Customers in response to CVE-2021-44228 (Apache log4j) **we are temporarily prohibiting security testing for this issue and all automated testing until further notice.**\nIf you are currently performing any automated testing or investigating CVE-2021-44228 please halt this activity immediately. We will provide an update to lift this restriction in the near future.\nWe appreciate your continued engagement with Amazon through our Bug Bounty program. If you have any questions or concerns please reach out through the support channels within our program policy.\nThank you for your understanding. \n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: amazon.com.br\n* Canada: amazon.ca\n* Mexico: amazon.com.mx\n* United States: amazon.com\n* China: amazon.cn\n* India: amazon.in\n* Japan: amazon.co.jp\n* Singapore: amazon.sg\n* Turkey: amazon.com.tr\n* United Arab Emirates: amazon.ae\n* France: amazon.fr\n* Germany: amazon.de\n* Italy: amazon.it\n* Netherlands: amazon.nl\n* Spain: amazon.es\n* Sweden: amazon.se\n* United Kingdom: amazon.co.uk\n* Australia: amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\n Please note that zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) are not eligible for awards unless you identify a zero-day vulnerability on an in-scope system more than 30 days after the zero-day vulnerability was disclosed to the security community. Additionally, we have an internal team dedicated to addressing zero-day vulnerabilities and vulnerabilities that are already known and being tracked by our internal team  at the time of your report will not be eligible for an award.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks\n* Do not compromise or test Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks against any Amazon facility\n* Do not use automated scanners/tools\n*Do not threaten or try to extort Amazon. Do not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Except as applied to CVE-2021-44228, limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. Use of automated scanners/tools for CVE-2021-44228 testing is prohibited.\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-11T19:07:12.860Z"},{"id":3662913,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\nHello Researchers,\n\nAmazon is aware of CVE-2021-44228, a remote code execution vulnerability in the Log4j library. We are suspending allowable use of automated scanners and tools under this Program Policy for testing CVE-2021-44228. As with the exploitation of any RCE, exploitation of Log4j that violates our Rules of Engagement, including attempts to learn additional information about Amazon hosts or find additional vulnerabilities, violates the Legal Safe Harbor terms found below.\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: amazon.com.br\n* Canada: amazon.ca\n* Mexico: amazon.com.mx\n* United States: amazon.com\n* China: amazon.cn\n* India: amazon.in\n* Japan: amazon.co.jp\n* Singapore: amazon.sg\n* Turkey: amazon.com.tr\n* United Arab Emirates: amazon.ae\n* France: amazon.fr\n* Germany: amazon.de\n* Italy: amazon.it\n* Netherlands: amazon.nl\n* Spain: amazon.es\n* Sweden: amazon.se\n* United Kingdom: amazon.co.uk\n* Australia: amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\n Please note that zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) are not eligible for awards unless you identify a zero-day vulnerability on an in-scope system more than 30 days after the zero-day vulnerability was disclosed to the security community. Additionally, we have an internal team dedicated to addressing zero-day vulnerabilities and vulnerabilities that are already known and being tracked by our internal team  at the time of your report will not be eligible for an award.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks\n* Do not compromise or test Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks against any Amazon facility\n* Do not threaten or try to extort Amazon. Do not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-11T19:06:01.284Z"},{"id":3662899,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\nHello Researchers,\nAs we work to triage and safeguard our Customers in response to CVE-2021-44228 (Apache log4j) **we are temporarily prohibiting security testing for this issue and all automated testing until further notice.**\nIf you are currently performing any automated testing or investigating CVE-2021-44228 please halt this activity immediately. We will provide an update to lift this restriction in the near future.\nWe appreciate your continued engagement with Amazon through our Bug Bounty program. If you have any questions or concerns please reach out through the support channels within our program policy.\nThank you for your understanding. \n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: amazon.com.br\n* Canada: amazon.ca\n* Mexico: amazon.com.mx\n* United States: amazon.com\n* China: amazon.cn\n* India: amazon.in\n* Japan: amazon.co.jp\n* Singapore: amazon.sg\n* Turkey: amazon.com.tr\n* United Arab Emirates: amazon.ae\n* France: amazon.fr\n* Germany: amazon.de\n* Italy: amazon.it\n* Netherlands: amazon.nl\n* Spain: amazon.es\n* Sweden: amazon.se\n* United Kingdom: amazon.co.uk\n* Australia: amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\n Please note that zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) are not eligible for awards unless you identify a zero-day vulnerability on an in-scope system more than 30 days after the zero-day vulnerability was disclosed to the security community. Additionally, we have an internal team dedicated to addressing zero-day vulnerabilities and vulnerabilities that are already known and being tracked by our internal team  at the time of your report will not be eligible for an award.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks\n* Do not compromise or test Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks against any Amazon facility\n* Do not use automated scanners/tools\n*Do not threaten or try to extort Amazon. Do not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-11T04:45:00.052Z"},{"id":3662898,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\nHello Researchers,\nAs we work to triage and safeguard our Customers in response to CVE-2021-44228 (Apache log4j) we are temporarily prohibiting security testing for this issue until further notice.\nIf you are currently investigating CVE-2021-44228, please halt this activity immediately. We will provide an update to lift this restriction in the near future.\nWe appreciate your continued engagement with Amazon through our Bug Bounty program. If you have any questions or concerns please reach out through the support channels within our program policy.\nThank you for your understanding.\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: amazon.com.br\n* Canada: amazon.ca\n* Mexico: amazon.com.mx\n* United States: amazon.com\n* China: amazon.cn\n* India: amazon.in\n* Japan: amazon.co.jp\n* Singapore: amazon.sg\n* Turkey: amazon.com.tr\n* United Arab Emirates: amazon.ae\n* France: amazon.fr\n* Germany: amazon.de\n* Italy: amazon.it\n* Netherlands: amazon.nl\n* Spain: amazon.es\n* Sweden: amazon.se\n* United Kingdom: amazon.co.uk\n* Australia: amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\n Please note that zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) are not eligible for awards unless you identify a zero-day vulnerability on an in-scope system more than 30 days after the zero-day vulnerability was disclosed to the security community. Additionally, we have an internal team dedicated to addressing zero-day vulnerabilities and vulnerabilities that are already known and being tracked by our internal team  at the time of your report will not be eligible for an award.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks\n* Do not compromise or test Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks against any Amazon facility\n* Do not use automated scanners/tools\n*Do not threaten or try to extort Amazon. Do not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-11T04:40:30.817Z"},{"id":3662184,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. \n* If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. \n  * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: amazon.com.br\n* Canada: amazon.ca\n* Mexico: amazon.com.mx\n* United States: amazon.com\n* China: amazon.cn\n* India: amazon.in\n* Japan: amazon.co.jp\n* Singapore: amazon.sg\n* Turkey: amazon.com.tr\n* United Arab Emirates: amazon.ae\n* France: amazon.fr\n* Germany: amazon.de\n* Italy: amazon.it\n* Netherlands: amazon.nl\n* Spain: amazon.es\n* Sweden: amazon.se\n* United Kingdom: amazon.co.uk\n* Australia: amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\n Please note that zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) are not eligible for awards unless you identify a zero-day vulnerability on an in-scope system more than 30 days after the zero-day vulnerability was disclosed to the security community. Additionally, we have an internal team dedicated to addressing zero-day vulnerabilities and vulnerabilities that are already known and being tracked by our internal team  at the time of your report will not be eligible for an award.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks\n* Do not compromise or test Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks against any Amazon facility\n* Do not use automated scanners/tools\n*Do not threaten or try to extort Amazon. Do not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* For unknown, suspicious, or fraudulent purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-25T00:07:05.216Z"},{"id":3653473,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: amazon.com.br\n* Canada: amazon.ca\n* Mexico: amazon.com.mx\n* United States: amazon.com\n* China: amazon.cn\n* India: amazon.in\n* Japan: amazon.co.jp\n* Singapore: amazon.sg\n* Turkey: amazon.com.tr\n* United Arab Emirates: amazon.ae\n* France: amazon.fr\n* Germany: amazon.de\n* Italy: amazon.it\n* Netherlands: amazon.nl\n* Spain: amazon.es\n* Sweden: amazon.se\n* United Kingdom: amazon.co.uk\n* Australia: amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Reports of security findings outside of bounty eligible scope will be accepted and handled appropriately. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\n Please note that zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) are not eligible for awards unless you identify a zero-day vulnerability on an in-scope system more than 30 days after the zero-day vulnerability was disclosed to the security community. Additionally, we have an internal team dedicated to addressing zero-day vulnerabilities and vulnerabilities that are already known and being tracked by our internal team  at the time of your report will not be eligible for an award.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n*Do not threaten or try to extort Amazon.  You should not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n*If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate.  Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data.  Continuing to access another person’s data may demonstrate a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.  These terms do not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Practices where other mitigating controls exist i.e. missing security headers, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS controls where other mitigating controls exist\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-14T18:36:29.797Z"},{"id":3652428,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n(**Note:** Please check Scopes section for complete details on latest in-scope assets)\n\nAll international retail marketplaces\n* Brazil: amazon.com.br\n* Canada: amazon.ca\n* Mexico: amazon.com.mx\n* United States: amazon.com\n* China: amazon.cn\n* India: amazon.in\n* Japan: amazon.co.jp\n* Singapore: amazon.sg\n* Turkey: amazon.com.tr\n* United Arab Emirates: amazon.ae\n* France: amazon.fr\n* Germany: amazon.de\n* Italy: amazon.it\n* Netherlands: amazon.nl\n* Spain: amazon.es\n* Sweden: amazon.se\n* United Kingdom: amazon.co.uk\n* Australia: amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Reports of security findings outside of bounty eligible scope will be accepted and handled appropriately. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\n Please note that zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) are not eligible for awards unless you identify a zero-day vulnerability on an in-scope system more than 30 days after the zero-day vulnerability was disclosed to the security community. Additionally, we have an internal team dedicated to addressing zero-day vulnerabilities and vulnerabilities that are already known and being tracked by our internal team  at the time of your report will not be eligible for an award.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n*Do not threaten or try to extort Amazon.  You should not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n*If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate.  Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data.  Continuing to access another person’s data may demonstrate a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.  These terms do not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-18T19:34:57.699Z"},{"id":3652426,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\nAll international retail marketplaces\n* Brazil: amazon.com.br\n* Canada: amazon.ca\n* Mexico: amazon.com.mx\n* United States: amazon.com\n* China: amazon.cn\n* India: amazon.in\n* Japan: amazon.co.jp\n* Singapore: amazon.sg\n* Turkey: amazon.com.tr\n* United Arab Emirates: amazon.ae\n* France: amazon.fr\n* Germany: amazon.de\n* Italy: amazon.it\n* Netherlands: amazon.nl\n* Spain: amazon.es\n* Sweden: amazon.se\n* United Kingdom: amazon.co.uk\n* Australia: amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Reports of security findings outside of bounty eligible scope will be accepted and handled appropriately. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\n Please note that zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) are not eligible for awards unless you identify a zero-day vulnerability on an in-scope system more than 30 days after the zero-day vulnerability was disclosed to the security community. Additionally, we have an internal team dedicated to addressing zero-day vulnerabilities and vulnerabilities that are already known and being tracked by our internal team  at the time of your report will not be eligible for an award.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n*Do not threaten or try to extort Amazon.  You should not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n*If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate.  Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data.  Continuing to access another person’s data may demonstrate a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.  These terms do not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* Reports on outdated version/builds of in-scope Mobile Apps\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-18T19:32:13.692Z"},{"id":3648076,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\nAll international retail marketplaces\n* Brazil: amazon.com.br\n* Canada: amazon.ca\n* Mexico: amazon.com.mx\n* United States: amazon.com\n* China: amazon.cn\n* India: amazon.in\n* Japan: amazon.co.jp\n* Singapore: amazon.sg\n* Turkey: amazon.com.tr\n* United Arab Emirates: amazon.ae\n* France: amazon.fr\n* Germany: amazon.de\n* Italy: amazon.it\n* Netherlands: amazon.nl\n* Spain: amazon.es\n* Sweden: amazon.se\n* United Kingdom: amazon.co.uk\n* Australia: amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Reports of security findings outside of bounty eligible scope will be accepted and handled appropriately. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.\n\n Please note that zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) are not eligible for awards unless you identify a zero-day vulnerability on an in-scope system more than 30 days after the zero-day vulnerability was disclosed to the security community. Additionally, we have an internal team dedicated to addressing zero-day vulnerabilities and vulnerabilities that are already known and being tracked by our internal team  at the time of your report will not be eligible for an award.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n*Do not threaten or try to extort Amazon.  You should not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n*If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate.  Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data.  Continuing to access another person’s data may demonstrate a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.  These terms do not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-01-26T20:30:00.187Z"},{"id":3647747,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\nAll international retail marketplaces\n* Brazil: amazon.com.br\n* Canada: amazon.ca\n* Mexico: amazon.com.mx\n* United States: amazon.com\n* China: amazon.cn\n* India: amazon.in\n* Japan: amazon.co.jp\n* Singapore: amazon.sg\n* Turkey: amazon.com.tr\n* United Arab Emirates: amazon.ae\n* France: amazon.fr\n* Germany: amazon.de\n* Italy: amazon.it\n* Netherlands: amazon.nl\n* Spain: amazon.es\n* Sweden: amazon.se\n* United Kingdom: amazon.co.uk\n* Australia: amazon.com.au\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Reports of security findings outside of bounty eligible scope will be accepted and handled appropriately.\n\n\n\n Please note that zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) are not eligible for awards unless you identify a zero-day vulnerability on an in-scope system more than 30 days after the zero-day vulnerability was disclosed to the security community. Additionally, we have an internal team dedicated to addressing zero-day vulnerabilities and vulnerabilities that are already known and being tracked by our internal team  at the time of your report will not be eligible for an award.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n*Do not threaten or try to extort Amazon.  You should not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n*If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate.  Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data.  Continuing to access another person’s data may demonstrate a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.  These terms do not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-01-14T17:03:37.990Z"},{"id":3646302,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\n* Amazon Marketplaces\n\twww.amazon.com \n\twww.amazon.co.uk \n\twww.amazon.co.jp \n\twww.amazon.de \n\twww.amazon.fr \n\twww.amazon.com.mx\n\twww.amazon.es\n\twww.amazon.in\n\twww.amazon.ca\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Reports of security findings outside of bounty eligible scope will be accepted and handled appropriately.\n\n\n\n Please note that zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) are not eligible for awards unless you identify a zero-day vulnerability on an in-scope system more than 30 days after the zero-day vulnerability was disclosed to the security community. Additionally, we have an internal team dedicated to addressing zero-day vulnerabilities and vulnerabilities that are already known and being tracked by our internal team  at the time of your report will not be eligible for an award.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n*Do not threaten or try to extort Amazon.  You should not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n*If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate.  Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data.  Continuing to access another person’s data may demonstrate a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.  These terms do not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-30T22:05:56.457Z"},{"id":3646187,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Amazon product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope of Amazon’s Vulnerability Research Program (VRP) are also eligible for a reward.  We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\nFor vulnerabilities related to Amazon Web Services (AWS), please visit the [AWS Vulnerability Reporting page](https://aws.amazon.com/security/vulnerability-reporting/). \n\n\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.  To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.\n* We will notify you of remediation and may reach out for questions or clarification.  You must be available to provide additional information if needed by us to reproduce and investigate the report.\n\n* We will work with the affected teams to make necessary improvements and remediation.\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\n* Amazon Marketplaces\n\twww.amazon.com \n\twww.amazon.co.uk \n\twww.amazon.co.jp \n\twww.amazon.de \n\twww.amazon.fr \n\twww.amazon.com.mx\n\twww.amazon.es\n\twww.amazon.in\n\twww.amazon.ca\n\n* Android and iOS Retail Apps (MShop)\n\tAndroid: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nSecurity issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program.  As an infrastructure provider, AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). \n\nYou are not authorized to test any asset, domain, or IP address outside the scope of the Amazon Vulnerability Research Program. Reports of security findings outside of bounty eligible scope will be accepted and handled appropriately.\n\n\n\n Please note that zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) are not eligible for awards unless you identify a zero-day vulnerability on an in-scope system more than 30 days after the zero-day vulnerability was disclosed to the security community. Additionally, we have an internal team dedicated to addressing zero-day vulnerabilities and vulnerabilities that are already known and being tracked by our internal team  at the time of your report will not be eligible for an award.\n\n\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n*Do not threaten or try to extort Amazon.  You should not act in bad faith and make ransom requests.  You should simply report the vulnerability to us.  \n\n*If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate.  Please report to us what information was accessed and delete the data.  Do not save, copy, transfer, or otherwise use this data.  Continuing to access another person’s data may demonstrate a lack of good faith.  \n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.  These terms do not provide you with authorization to access company data or another person’s account.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party until Amazon confirms mitigation. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-26T01:22:48.777Z"},{"id":3646181,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Vulnerability Research Program (VRP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.\n* We will notify you of remediation and may reach out for questions or clarification.\n* We will work with the affected teams to make necessary improvements and remediation.\n* Qualified researchers who will regularly submit high quality findings can be added to **Amazon Private Program** (invited researchers only).\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\n* Amazon Marketplaces\n  www.amazon.com \n  www.amazon.co.uk \n  www.amazon.co.jp \n  www.amazon.de \n  www.amazon.fr \n www.amazon.com.mx\n www.amazon.es\n www.amazon.in\n www.amazon.ca\n\n* Android and iOS Retail Apps (MShop)\n  Android: com.amazon.mShop.android.shopping \n  iOS: amazon-shopping-297606951\n\nReports of security findings outside of bounty eligible scope will be accepted and handled appropriately. Security issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program, as an infrastructure provider AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). If the asset/IP is not associated to an in-scope domain please refrain from testing them as part of Amazon Vulnerability Research Program.\n\nPlease note that Zero-day vulnerabilities may be reported 30 days after initial disclosure. We have an internal team dedicated to working on these types of issues and internally known/tracked issues will not be eligible for the bounty.\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-25T21:13:21.073Z"},{"id":3644203,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Vulnerability Research Program (VRP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.\n* We will notify you of remediation and may reach out for questions or clarification.\n* We will work with the affected teams to make necessary improvements and remediation.\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\n* Amazon Marketplaces\n  www.amazon.com \n  www.amazon.co.uk \n  www.amazon.co.jp \n  www.amazon.de \n  www.amazon.fr \n www.amazon.com.mx\n www.amazon.es\n www.amazon.in\n www.amazon.ca\n\n* Android and iOS Retail Apps (MShop)\n  Android: com.amazon.mShop.android.shopping \n  iOS: amazon-shopping-297606951\n\nReports of security findings outside of bounty eligible scope will be accepted and handled appropriately. Security issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program, as an infrastructure provider AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). If the asset/IP is not associated to an in-scope domain please refrain from testing them as part of Amazon Vulnerability Research Program.\n\nPlease note that Zero-day vulnerabilities may be reported 30 days after initial disclosure. We have an internal team dedicated to working on these types of issues and internally known/tracked issues will not be eligible for the bounty.\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-23T23:32:56.619Z"},{"id":3644201,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Vulnerability Research Program (VRP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.\n* We will notify you of remediation and may reach out for questions or clarification.\n* We will work with the affected teams to make necessary improvements and remediation.\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\n* Amazon Marketplaces\n  www.amazon.com \n  www.amazon.co.uk \n  www.amazon.co.jp \n  www.amazon.de \n  www.amazon.fr \n www.amazon.com.mx\n www.amazon.es\n www.amazon.in\n www.amazon.ca\n\n* Android and iOS Retail Apps (MShop)\n  Android: com.amazon.mShop.android.shopping \n  iOS: amazon-shopping-297606951\n\nReports of security findings outside of bounty eligible scope will be accepted and handled appropriately. Security issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program, as an infrastructure provider AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). If the asset/IP is not associated to an in-scope domain please refrain from testing them as part of Amazon Vulnerability Research Program.\n\nPlease note that Zero-day vulnerabilities may be reported 30 days after initial disclosure. We have an internal team dedicated to working on these types of issues and internally known/tracked issues will not be eligible for the bounty.\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Please make sure to use the User-Agent string `amazonvrpresearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service\n* Please note, use of scanning tools without the User-agent string `amazonvrpresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-23T23:22:09.786Z"},{"id":3642060,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Vulnerability Research Program (VRP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.\n* We will notify you of remediation and may reach out for questions or clarification.\n* We will work with the affected teams to make necessary improvements and remediation.\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\n* Amazon Marketplaces\n  www.amazon.com \n  www.amazon.co.uk \n  www.amazon.co.jp \n  www.amazon.de \n  www.amazon.fr \n www.amazon.com.mx\n www.amazon.es\n www.amazon.in\n www.amazon.ca\n\n* Android and iOS Retail Apps (MShop)\n  Android: com.amazon.mShop.android.shopping \n  iOS: amazon-shopping-297606951\n\nReports of security findings outside of bounty eligible scope will be accepted and handled appropriately. Security issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program, as an infrastructure provider AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). If the asset/IP is not associated to an in-scope domain please refrain from testing them as part of Amazon Vulnerability Research Program.\n\nPlease note that Zero-day vulnerabilities may be reported 30 days after initial disclosure. We have an internal team dedicated to working on these types of issues and internally known/tracked issues will not be eligible for the bounty.\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-04T20:54:00.858Z"},{"id":3641523,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Vulnerability Research Program (VRP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.\n* We will notify you of remediation and may reach out for questions or clarification.\n* We will work with the affected teams to make necessary improvements and remediation.\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\n* Amazon Marketplaces\n  www.amazon.com \n  www.amazon.co.uk \n  www.amazon.co.jp \n  www.amazon.de \n  www.amazon.fr \n www.amazon.com.mx\n www.amazon.es\n www.amazon.in\n www.amazon.ca\n\n* Android and iOS Retail Apps (MShop)\n  Android: com.amazon.mShop.android.shopping \n  iOS: amazon-shopping-297606951\n\nReports of security findings outside of bounty eligible scope will be accepted and handled appropriately. Security issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program, as an infrastructure provider AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). If the asset/IP is not associated to an in-scope domain please refrain from testing them as part of Amazon Vulnerability Research Program.\n\nPlease note that Zero-day vulnerabilities may be reported 30 days after initial disclosure. We have an internal team dedicated to working on these types of issues and internally known/tracked issues will not be eligible for the bounty.\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher_yourh1username in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party until Amazon confirms mitigation. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-20T21:24:41.423Z"},{"id":3641293,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Vulnerability Research Program (VRP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.\n* We will notify you of remediation and may reach out for questions or clarification.\n* We will work with the affected teams to make necessary improvements and remediation.\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\n* Amazon Marketplaces\n  www.amazon.com \n  www.amazon.co.uk \n  www.amazon.co.jp \n  www.amazon.de \n  www.amazon.fr \n www.amazon.com.mx\n www.amazon.es\n www.amazon.in\n www.amazon.ca\n\n* Android and iOS Retail Apps (MShop)\n  Android: com.amazon.mShop.android.shopping \n  iOS: amazon-shopping-297606951\n\nReports of security findings outside of bounty eligible scope will be accepted and handled appropriately. Security issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip-ranges.json) are not in scope for Amazon Vulnerability Research Program, as an infrastructure provider AWS customers operate assets in this space. Discovering and testing against AWS and AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and against the AWS AUP (https://aws.amazon.com/aup/). If the asset/IP is not associated to an in-scope domain please refrain from testing them as part of Amazon Vulnerability Research Program.\n\nPlease note that Zero-day vulnerabilities may be reported 30 days after initial disclosure. We have an internal team dedicated to working on these types of issues and internally known/tracked issues will not be eligible for the bounty.\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party until Amazon confirms mitigation. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-13T18:58:25.227Z"},{"id":3641292,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Vulnerability Research Program (VRP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.\n* We will notify you of remediation and may reach out for questions or clarification.\n* We will work with the affected teams to make necessary improvements and remediation.\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\n* Amazon Marketplaces\n  www.amazon.com \n  www.amazon.co.uk \n  www.amazon.co.jp \n  www.amazon.de \n  www.amazon.fr \n www.amazon.com.mx\n www.amazon.es\n www.amazon.in\n www.amazon.ca\n\n* Android and iOS Retail Apps (MShop)\n  Android: com.amazon.mShop.android.shopping \n  iOS: amazon-shopping-297606951\n\nReports of security findings outside of bounty eligible scope will be accepted and handled appropriately.\n\nPlease note that Zero-day vulnerabilities may be reported 30 days after initial disclosure. We have an internal team dedicated to working on these types of issues and internally known/tracked issues will not be eligible for the bounty.\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher_yourh1username`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party until Amazon confirms mitigation. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-13T18:13:03.380Z"},{"id":3641146,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Vulnerability Research Program (VRP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.\n* We will notify you of remediation and may reach out for questions or clarification.\n* We will work with the affected teams to make necessary improvements and remediation.\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\n* Amazon Marketplaces\n  www.amazon.com \n  www.amazon.co.uk \n  www.amazon.co.jp \n  www.amazon.de \n  www.amazon.fr \n www.amazon.com.mx\n www.amazon.es\n www.amazon.in\n www.amazon.ca\n\n* Android and iOS Retail Apps (MShop)\n  Android: com.amazon.mShop.android.shopping \n  iOS: amazon-shopping-297606951\n\nReports of security findings outside of bounty eligible scope will be accepted and handled appropriately.\n\nPlease note that Zero-day vulnerabilities may be reported 30 days after initial disclosure. We have an internal team dedicated to working on these types of issues and internally known/tracked issues will not be eligible for the bounty.\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party until Amazon confirms mitigation. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-10T21:07:39.326Z"},{"id":3639586,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Vulnerability Research Program (VRP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.\n* We will notify you of remediation and may reach out for questions or clarification.\n* We will work with the affected teams to make necessary improvements and remediation.\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\n* Amazon Marketplaces\n  www.amazon.com \n  www.amazon.co.uk \n  www.amazon.co.jp \n  www.amazon.de \n  www.amazon.fr \n\n* Android and iOS Retail Apps (MShop)\n  Android: com.amazon.mShop.android.shopping \n  iOS: amazon-shopping-297606951\n\nReports of security findings outside of bounty eligible scope will be accepted and handled appropriately.\n\nPlease note that Zero-day vulnerabilities may be reported 30 days after initial disclosure. We have an internal team dedicated to working on these types of issues and internally known/tracked issues will not be eligible for the bounty.\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e \n\nAlso, while testing please forward the string amazonvrpresearcher in your User-Agent header. You can create match and replace proxy rule in Burp by going to *Proxy* \u003e\u003e *Options* \u003e\u003e *Match and Replace* with the following options:\n**Type:** `Request header`\n**Match:** `^User-Agent.*$` \n**Replace:** `User-Agent: amazonvrpresearcher`\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party until Amazon confirms mitigation. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-14T21:20:26.889Z"},{"id":3638809,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Vulnerability Research Program (VRP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.\n* We will notify you of remediation and may reach out for questions or clarification.\n* We will work with the affected teams to make necessary improvements and remediation.\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\n* Amazon Marketplaces\n  www.amazon.com \n  www.amazon.co.uk \n  www.amazon.co.jp \n  www.amazon.de \n  www.amazon.fr \n\n* Android and iOS Retail Apps (MShop)\n  Android: com.amazon.mShop.android.shopping \n  iOS: amazon-shopping-297606951\n\nReports of security findings outside of bounty eligible scope will be accepted and handled appropriately.\n\nPlease note that Zero-day vulnerabilities may be reported 30 days after initial disclosure. We have an internal team dedicated to working on these types of issues and internally known/tracked issues will not be eligible for the bounty.\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e Also, while testing please forward the string amazonvrpresearcher in your User-Agent header. You can create match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options. Type: Request header Match: ^User-Agent.*$ Replace: User-Agent: __amazonvrpresearcher__\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party until Amazon confirms mitigation. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-30T22:23:13.889Z"},{"id":3638808,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Vulnerability Research Program (VRP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.\n* We will notify you of remediation and may reach out for questions or clarification.\n* We will work with the affected teams to make necessary improvements and remediation.\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\n* Amazon Marketplaces\n  www.amazon.com \n  www.amazon.co.uk \n  www.amazon.co.jp \n  www.amazon.de \n  www.amazon.fr \n\n* Android and iOS Retail Apps (MShop)\n  Android: com.amazon.mShop.android.shopping \n  iOS: amazon-shopping-297606951\n\nReports of security findings outside of bounty eligible scope will be accepted and handled appropriately.\n\nPlease note that Zero-day vulnerabilities may be reported 30 days after initial disclosure. We have an internal team dedicated to working on these types of issues and internally known/tracked issues will not be eligible for the bounty.\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e Also, while testing please forward the string amazonvrpresearcher in your User-Agent header. You can create match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options. Type: Request header Match: ^User-Agent.*$ Replace: User-Agent: __amazonvrpresearcher__\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party until Amazon confirms mitigation. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers, Mixed content, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-30T21:54:48.538Z"},{"id":3638795,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Vulnerability Research Program (VRP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.\n* We will notify you of remediation and may reach out for questions or clarification.\n* We will work with the affected teams to make necessary improvements and remediation.\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\n* Amazon Marketplaces\n  www.amazon.com \n  www.amazon.co.uk \n  www.amazon.co.jp \n  www.amazon.de \n  www.amazon.fr \n\n* Android and iOS Retail Apps (MShop)\n  Android: com.amazon.mShop.android.shopping \n  iOS: amazon-shopping-297606951\n\nReports of security findings outside of bounty eligible scope will be accepted and handled appropriately.\n\nPlease note that Zero-day vulnerabilities may be reported 30 days after initial disclosure. We have an internal team dedicated to working on these types of issues and internally known/tracked issues will not be eligible for the bounty.\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e Also, while testing please forward the string amazonvrpresearcher in your User-Agent header. You can create match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options. Type: Request header Match: ^User-Agent.*$ Replace: User-Agent: __amazonvrpresearcher__\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without our permission\n* Share your HackerOne points, or participation without your permission\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party until Amazon confirms mitigation. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers, Mixed content, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-30T19:08:48.186Z"},{"id":3638794,"new_policy":"#Amazon Vulnerability Research Program (VRP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Vulnerability Research Program (VRP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\n##What is VRP? \n\nAmazon’s Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon’s Information Security team. \n\n##Who Can Participate in the Program\n\nAmazon customers and security researchers who discover a potential security finding within Amazon products or services can report it to the VRP program.\n\nAmazon employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program.\n\n##How VRP Program Works\n* Security researchers and customers of Amazon are encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own accounts and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. * Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will issue bounty awards for eligible findings.\n* We will notify you of remediation and may reach out for questions or clarification.\n* We will work with the affected teams to make necessary improvements and remediation.\n\n##Services and Products in Scope\n\nBounty eligible findings are limited to following marketplaces and mobile apps:\n\n* Amazon Marketplaces\n www.amazon.com \n www.amazon.co.uk \n www.amazon.co.jp \n www.amazon.de \n www.amazon.fr \n\n* Android and iOS Retail Apps (MShop)\n Android: com.amazon.mShop.android.shopping \n\tiOS: amazon-shopping-297606951\n\nReports of security findings outside of bounty eligible scope will be accepted and handled appropriately.\n\nPlease note that Zero-day vulnerabilities may be reported 30 days after initial disclosure. We have an internal team dedicated to working on these types of issues and internally known/tracked issues will not be eligible for the bounty.\n\n##For other Types of Issues\n\n* Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious password changes, account changes, or potential fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) related issues, please report via [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement related issues, please report via [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e Also, while testing please forward the string amazonvrpresearcher in your User-Agent header. You can create match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options. Type: Request header Match: ^User-Agent.*$ Replace: User-Agent: __amazonvrpresearcher__\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without our permission\n* Share your HackerOne points, or participation without your permission\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##If Your Account is Banned or Blocked by Vulnerability Research Activities\n* Follow on-screen instructions when you log in into your Amazon account for recovery\n* Be prepared with a recent card statement available to prove ownership\n* The account will typically be restored within 24 hours\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party until Amazon confirms mitigation. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| Low - Critical | \n| 6 | Directory Traversal - Local File Inclusion | Medium - High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Misconfiguration        | Low - High         | \n| 11 | Web Cache Deception | Low - Medium   |\n| 12 | CORS Misconfiguration      | Low - Medium        | \n| 13| CRLF Injection\t| Low - Medium |  \n| 14 | Cross Site Request Forgery        | Low - Medium         | \n| 15 | Open Redirect        | Low - Medium      |  \n| 16 | Information Disclosure | Low - Medium   | \n| 17 | Request smuggling | Low – Medium | \n| 18 | Mixed Content | Low |\n\n##Non-eligible Vulnerabilities\n\n|         | Vulnerability         | \n|----------                |------------                |\n| 1                 | Subdomain Takeover        |\n| 2                     | Clickjacking         |  \n| 3           | Self XSS         | \n| 4                      | Email Spoofing - SPF Records Misconfiguration          | \n\n##Out-of-Scope Issues\n* Security Best Practices i.e. Security Headers, Mixed content, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-30T19:06:16.199Z"},{"id":3637592,"new_policy":"#Amazon Vulnerability Disclosure Program (VDP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Vulnerability Disclosure Program (VDP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\n##What is VDP? \n\nAmazon’s Vulnerability Disclosure Program (VDP) is an initiative driven and managed by Amazon Vulnerability Research Program (VRP) team. Our goal is to partner with security research community and customers to protect Amazon customer trust.\n\n##Who Can Participate the Program\n\nAnyone who discovers a potential security finding, please let us know.\n\n##How the Program Works\n* Everyone, including researchers and customers of Amazon, is encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own account and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will notify you of remediation and may reach out for questions or clarification.\n* We will work with the affected teams to make necessary improvements and remediation.\n\n##Services/Products in Scope\n\nSelected services under Amazon.com retail consumer websites.\n* Amazon retail consumer websites, including all country domains (e.g. Amazon.com, Amazon.co.uk, etc.)\n* Mobile apps (e.g. Android and iOS)\n\n##For other Types of Issues\n\n* Unknown, Suspicious, or Fraudulent Purchases, Orders, or Credit Card Transactions, Suspicious Password Changes, Account Changes, or Potential Fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) Issues, please [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement, please [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating accounts\n\nPlease create accounts using a hackerone email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e Also, while testing please forward the string hackeronevdpresearcher in your User-Agent header. You can create match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options. Type: Request header Match: ^User-Agent.*$ Replace: User-Agent: __amazonvdpresearcher__\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n* If your account is banned or blocked:\n    - Follow on-screen instruction when you log in into your Amazon account for recovery\n    - Be prepared with a recent card statement available to prove ownership\n    - The account will supposedly restored within 24 hours\n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party until Amazon confirms mitigation. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| High - Critical | \n| 6 | Directory Traversal - Local File Inclusion | High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Reflected Cross Site Scripting\t| Medium |    \n| 11 | Misconfiguration        | Low - High         | \n| 12 | Web Cache Deception | Low - Medium   |\n| 13 | CORS Misconfiguration      | Low - Medium        | \n| 14 | CRLF Injection\t| Low - Medium |  \n| 15 | Cross Site Request Forgery        | Low - Medium         | \n| 16 | Open Redirect        | Low - Medium      |  \n| 17 | Information Disclosure | Low - Medium   | \n| 18 | Request smuggling | Low – Medium | \n| 19 | Mixed Content | Low |\n\n##Out-of-Scope Issues\n* Self XSS\n* Security Best Practices i.e. Security Headers etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Email Spoofing - SPF Records Misconfiguration\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Clickjacking\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-19T19:15:39.642Z"},{"id":3635673,"new_policy":"#Amazon Vulnerability Disclosure Program (VDP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Vulnerability Disclosure Program (VDP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\n##What is VDP? \n\nAmazon’s Vulnerability Disclosure Program (VDP) is an initiative driven and managed by Amazon Vulnerability Research Program (VRP) team. Our goal is to partner with security research community and customers to protect Amazon customer trust.\n\n##Who Can Participate the Program\n\nAnyone who discovers a potential security finding, please let us know.\n\n##How the Program Works\n* Everyone, including researchers and customers of Amazon, is encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own account and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will notify you of remediation and may reach out for questions or clarification.\n* We will work with the affected teams to make necessary improvements and remediation.\n\n##Services/Products in Scope\n\nSelected services under Amazon.com retail consumer websites.\n* Amazon retail consumer websites, including all country domains (e.g. Amazon.com, Amazon.co.uk, etc.)\n* Mobile apps (e.g. Android and iOS)\n\n##For other Types of Issues\n\n* Unknown, Suspicious, or Fraudulent Purchases, Orders, or Credit Card Transactions, Suspicious Password Changes, Account Changes, or Potential Fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) Issues, please [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement, please [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating accounts\n\nPlease create accounts using a hackerone email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e Also, while testing please forward the string hackeronevdpresearcher in your User-Agent header. You can create match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options. Type: Request header Match: ^User-Agent.*$ Replace: User-Agent: __amazonvdpresearcher__\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n* If your account is banned or blocked:\n    - Follow on-screen instruction when you log in into your Amazon account for recovery\n    - Be prepared with a recent card statement available to prove ownership\n    - The account will supposedly restored within 24 hours\n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party until Amazon confirms mitigation. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| High - Critical | \n| 6 | Directory Traversal - Local File Inclusion | High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Reflected Cross Site Scripting\t| Medium |    \n| 11 | Misconfiguration        | Low - High         | \n| 12 | Web Cache Deception | Low - Medium   |\n| 13 | CORS Misconfiguration      | Low - Medium        | \n| 14 | CRLF Injection\t| Low - Medium |  \n| 15 | Cross Site Request Forgery        | Low - Medium         | \n| 16 | Open Redirect        | Low - Medium      |  \n| 17 | Information Disclosure | Low - Medium   | \n| 18 | Request smuggling | Low – Medium | \n\n\n##Out-of-Scope Issues\n* Self XSS\n* Security Best Practices i.e. Security Headers, Mixed content, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Email Spoofing - SPF Records Misconfiguration\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Clickjacking\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Mixed Content\n* Discovering and testing against AWS customer assets\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-30T17:14:25.954Z"},{"id":3635382,"new_policy":"#Amazon Vulnerability Disclosure Program (VDP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Vulnerability Disclosure Program (VDP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\n##What is VDP? \n\nAmazon’s Vulnerability Disclosure Program (VDP) is an initiative driven and managed by Amazon Vulnerability Research Program (VRP) team. Our goal is to partner with security research community and customers to protect Amazon customer trust.\n\n##Who Can Participate the Program\n\nAnyone who discovers a potential security finding, please let us know.\n\n##How the Program Works\n* Everyone, including researchers and customers of Amazon, is encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own account and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will notify you of remediation and may reach out for questions or clarification.\n* We will work with the affected teams to make necessary improvements and remediation.\n\n##Services/Products in Scope\n\nSelected services under Amazon.com retail consumer websites.\n* Amazon retail consumer websites, including all country domains (e.g. Amazon.com, Amazon.co.uk, etc.)\n* Mobile apps (e.g. Android and iOS)\n\n##For other Types of Issues\n\n* Unknown, Suspicious, or Fraudulent Purchases, Orders, or Credit Card Transactions, Suspicious Password Changes, Account Changes, or Potential Fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) Issues, please [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement, please [click here](https://www.amazon.com/gp/help/reports/infringement).\n\n##Creating accounts\n\nPlease create accounts using a hackerone email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e Also, while testing please forward the string hackeronevdpresearcher in your User-Agent header. You can create match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options. Type: Request header Match: ^User-Agent.*$ Replace: User-Agent: __amazonvdpresearcher__\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n* If your account is banned or blocked:\n    - Follow on-screen instruction when you log in into your Amazon account for recovery\n    - Be prepared with a recent card statement available to prove ownership\n    - The account will supposedly restored within 24 hours\n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party until Amazon confirms mitigation. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| High - Critical | \n| 6 | Directory Traversal - Local File Inclusion | High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Reflected Cross Site Scripting\t| Medium |    \n| 11 | Misconfiguration        | Low - High         | \n| 12 | Web Cache Deception | Low - Medium   |\n| 13 | CORS Misconfiguration      | Low - Medium        | \n| 14 | CRLF Injection\t| Low - Medium |  \n| 15 | Cross Site Request Forgery        | Low - Medium         | \n| 16 | Open Redirect        | Low - Medium      |  \n| 17 | Information Disclosure | Low - Medium   | \n| 18 | Request smuggling | Low – Medium | \n\n\n##Out-of-Scope Issues\n* Self XSS\n* Security Best Practices i.e. Security Headers, Mixed content, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Email Spoofing - SPF Records Misconfiguration\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Clickjacking\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Mixed Content\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-23T19:17:50.586Z"},{"id":3635300,"new_policy":"#Amazon Vulnerability Disclosure Program (VDP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Vulnerability Disclosure Program (VDP) scope, please report the details of your findings. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\n##What is VDP? \n\nAmazon’s Vulnerability Disclosure Program (VDP) is an initiative driven and managed by Amazon Vulnerability Research Program (VRP) team. Our goal is to partner with security research community and customers to protect Amazon customer trust.\n\n##Who Can Participate the Program\n\nAnyone who discovers a potential security finding, please let us know.\n\n##How the Program Works\n* Everyone, including researchers and customers of Amazon, is encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own account and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will notify you of remediation and may reach out for questions or clarification.\n* We will work with the affected teams to make necessary improvements and remediation.\n\n##Services/Products in Scope\n\nSelected services under Amazon.com retail consumer websites.\n* Amazon retail consumer websites, including all country domains (e.g. Amazon.com, Amazon.co.uk, etc.)\n* Mobile apps (e.g. Android and iOS)\n\n##For other Types of Issues\n\n* Unknown, Suspicious, or Fraudulent Purchases, Orders, or Credit Card Transactions, Suspicious Password Changes, Account Changes, or Potential Fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) Issues, please [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement, please [click here](https://www.amazon.com/gp/help/reports/infringement).\n* If you think you may have been contacted by a fraudulent source offering a job on behalf of Amazon, please send an email to Recruiting-Fraud@amazon.com.\n\n##Creating accounts\n\nPlease create accounts using a hackerone email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e Also, while testing please forward the string hackeronevdpresearcher in your User-Agent header. You can create match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options. Type: Request header Match: ^User-Agent.*$ Replace: User-Agent: __amazonvdpresearcher__\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nIf you need to contact HackerOne, amazon-program@hackerone.com.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n* If your account is banned or blocked:\n    - Follow on-screen instruction when you log in into your Amazon account for recovery\n    - Be prepared with a recent card statement available to prove ownership\n    - If the account is not restored within 24 hours, please contact us at amazon-program@hackerone.com\n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party until Amazon confirms mitigation. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| High - Critical | \n| 6 | Directory Traversal - Local File Inclusion | High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Reflected Cross Site Scripting\t| Medium |    \n| 11 | Misconfiguration        | Low - High         | \n| 12 | Web Cache Deception | Low - Medium   |\n| 13 | CORS Misconfiguration      | Low - Medium        | \n| 14 | CRLF Injection\t| Low - Medium |  \n| 15 | Cross Site Request Forgery        | Low - Medium         | \n| 16 | Open Redirect        | Low - Medium      |  \n| 17 | Information Disclosure | Low - Medium   | \n| 18 | Request smuggling | Low – Medium | \n\n\n##Out-of-Scope Issues\n* Self XSS\n* Security Best Practices i.e. Security Headers, Mixed content, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Email Spoofing - SPF Records Misconfiguration\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Clickjacking\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Mixed Content\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-21T22:17:20.744Z"},{"id":3635298,"new_policy":"#Amazon Vulnerability Disclosure Program (VDP) - Program Policy\n\n##Introduction\n\nAt Amazon, we take security and privacy very seriously. If you believe that you have found a security vulnerability within the Vulnerability Disclosure Program (VDP) scope, please report the details of your findings below. We appreciate your efforts in helping protect customer trust and make Amazon more secure.\n\n##What is VDP? \n\nAmazon’s Vulnerability Disclosure Program (VDP) is an initiative driven and managed by Amazon Vulnerability Research Program (VRP) team. Our goal is to partner with security research community and customers to protect Amazon customer trust.\n\n##Who Can Participate the Program\n\nAnyone who discovers a potential security finding, please let us know.\n\n##How the Program Works\n* Everyone, including researchers and customers of Amazon, is encouraged to report any behavior impacting the information security posture of Amazon products and services. If you are performing research, please use your own account and do not interact with other people’s accounts or data.\n* Document your findings thoroughly, providing steps to reproduce and send your report to us. Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.\n* We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research. \n* We will work with the affected teams to validate the report.\n* We will notify you of remediation and may reach out for questions or clarification.\n* We will work with the affected teams to make necessary improvements and remediation.\n\n##Services/Products in Scope\n\nSelected services under Amazon.com retail consumer websites.\n* Amazon retail consumer websites, including all country domains (e.g. Amazon.com, Amazon.co.uk, etc.)\n* Mobile apps (e.g. Android and iOS)\n\n##For other Types of Issues\n\n* Unknown, Suspicious, or Fraudulent Purchases, Orders, or Credit Card Transactions, Suspicious Password Changes, Account Changes, or Potential Fraud please contact [Customer Service](https://www.amazon.com/gp/help/customer/contact-us/).\n* For Amazon Web Services (AWS) Issues, please [click here](https://aws.amazon.com/security/vulnerability-reporting/).\n* To report Copyright Infringement, please [click here](https://www.amazon.com/gp/help/reports/infringement).\n* If you think you may have been contacted by a fraudulent source offering a job on behalf of Amazon, please send an email to Recruiting-Fraud@amazon.com.\n\n##Creating accounts\n\nPlease create accounts using a hackerone email to help us track security research activity. You can create accounts on Amazon by using \u003cyourh1username@wearehackerone.com\u003e Also, while testing please forward the string hackeronevdpresearcher in your User-Agent header. You can create match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options. Type: Request header Match: ^User-Agent.*$ Replace: User-Agent: __amazonvdpresearcher__\n\n##Legal Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\nIf you need to contact HackerOne, amazon-program@hackerone.com.\n\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n* Share your PII with third parties\n* Share your research without your permission\n* Share your HackerOne points, or participation without your permission\n\n##Rules of Engagement\n* Provide details of the vulnerability finding, including information needed to reproduce and validate the report\n* Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Amazon services\n* Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of Amazon accounts that are not your own\n* Do not attempt to target Amazon employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform physical attacks again any Amazon facility\n* Do not use automated scanners/tools\n* If your account is banned or blocked:\n    - Follow on-screen instruction when you log in into your Amazon account for recovery\n    - Be prepared with a recent card statement available to prove ownership\n    - If the account is not restored within 24 hours, please contact us at amazon-program@hackerone.com\n\n**NOTE:** Please do not use 3rd party sites when doing testing (for instance, \u003cyourdomains\u003e@xss.ht) - we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) testing, that you only utilize assets that you explicitly own (and control) yourself. While we support blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have control over. Thanks!\n\n##Research Guidance\n\nReference HackerOne guidance on writing quality reports:\n* https://docs.hackerone.com/hackers/quality-reports.html\n* https://www.hacker101.com/sessions/good_reports\n\n##Responsible Disclosure Policy\n\nThank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party until Amazon confirms mitigation. Do not threaten or attempt to extort Amazon.\n\nAmazon commits to timely remediation of your findings, and prompt response to relevant questions.\n\n##In-Scope Vulnerabilities\n|         | Vulnerability         | Severity Range         |  \n|----------                |------------                |--------                |\n| 1 | Remote Code Execution | Critical   |               \n| 2 | SQL Injection | High - Critical | \n| 3 | XXE | High - Critical | \n| 4 | XSS    | Medium - High     |\n| 5 | Server-Side Request Forgery\t| High - Critical | \n| 6 | Directory Traversal - Local File Inclusion | High | \n| 7 | Authentication/Authorization Bypass (Broken Access Control) | Medium - High      |   \n| 8 | Privilege Escalation | Medium - High   | \n| 9 | Insecure Direct Object Reference      | Medium - Critical       | \n| 10 | Reflected Cross Site Scripting\t| Medium |    \n| 11 | Misconfiguration        | Low - High         | \n| 12 | Web Cache Deception | Low - Medium   |\n| 13 | CORS Misconfiguration      | Low - Medium        | \n| 14 | CRLF Injection\t| Low - Medium |  \n| 15 | Cross Site Request Forgery        | Low - Medium         | \n| 16 | Open Redirect        | Low - Medium      |  \n| 17 | Information Disclosure | Low - Medium   | \n| 18 | Request smuggling | Low – Medium | \n\n\n##Out-of-Scope Issues\n* Self XSS\n* Security Best Practices i.e. Security Headers, Mixed content, etc.\n* Social Engineering, Phishing\n* Physical Attacks\n* Missing Cookie Flags\n* CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.\n* Content Spoofing\n* Email Spoofing - SPF Records Misconfiguration\n* Stack Traces, Path Disclosure, Directory Listings\n* SSL/TLS best practices\n* Banner Grabbing\n* CSV Injection\n* Clickjacking\n* Reflected File Download\n* Reports on Out of dated browsers\n* DOS/DDOS\n* Host header Injection without a demonstrable impact\n* Scanner Outputs\n* Vulnerabilities on Third-Party Products\n* User Enumeration\n* Password Complexity\n* HTTP Trace Method\n* Mixed Content\n\n##Out-of-Scope Assets\n\n| Category| Asset   |\n|------------|-----------------------------     |\n| Physical Stores\t | Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical  Stores will be out-of-scope |\n|AWS      |\t All AWS related services and products will be out-of-scope -  See AWS security reporting at https://aws.amazon.com/security/vulnerability-reporting/|\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-21T21:58:46.732Z"}]