Vulnerability Reporting

• Amazon Web Services (AWS): Contact aws-security@amazon.com (PGP key) to report a vulnerability or security concern with AWS cloud services or open source projects.
• Amazon: Notify Retail Security of a vulnerability or security concern with Amazon Retail services or products.
• Penetration Testing: AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for listed services. For additional guidance, review the Policy for Penetration Testing.
• AWS Abuse: If you suspect that AWS resources (such as an EC2 instance or S3 bucket) are being used for suspicious activity, please complete the AWS abuse form or contact trustandsafety@support.aws.com.

So that we may more effectively respond to your report, please provide any supporting material (proof-of-concept code, tool output, etc.) that would be useful in helping us understand the nature and severity of the vulnerability.

The Amazon CNA will issue CVEs that support customers in addressing valid security vulnerabilities within the following classes:

• AWS Services delivered by AWS and publicly available to customers. (e.g. Amazon EC2, Amazon RDS).
• Amazon Services delivered by Amazon and publicly available to customers. (e.g. Amazon.com Seller API Service).
• Open-source software within a GitHub organization managed by Amazon or AWS.
• Client software published by Amazon or AWS and available for download from a website or download location owned and operated by us (e.g. Amazon Appstore SDK, Amazon Input SDK, Amazon Kindle App, Amazon MShop App, Amazon WorkSpaces client).
• Devices manufactured by Amazon or AWS and available to customers for purchase and use (e.g. Amazon Fire TV, Amazon Echo devices, Amazon Kindle, AWS Outpost).

Additionally, all of the requirements below must be met:

• Customer Impacting: The issue must exist within an Amazon or AWS-owned class which is publicly available to customers; AND
• Customer Agency: Remediation of supported or EOL/EOS product issues requires customer action, including making a risk-based decision on handling the remediation (OR customers need to assess possible impact) OR when a valid security vulnerability will become public (OR has the potential of becoming public); AND
• CVSS score: 4.0 (MEDIUM) or higher.

Services, software, or hardware issues that are deemed not a vulnerability include but are not limited to:

• Non-default configuration or changes made using valid credentials that were correctly authorized
• Targeting assets of Amazon or AWS customers (or non-AWS sites hosted on AWS infrastructure)
• Any vulnerability obtained through the compromise of Amazon or AWS customer or employee accounts
• Any Denial of Service (DoS) attack against Amazon or AWS products (or Amazon or AWS customers)
• Physical attacks against Amazon or AWS employees, offices, and data centers
• Social engineering of Amazon or AWS employees, contractors, vendors, or service providers
• Knowingly posting, transmitting, uploading, linking to, or sending malware
• Pursuing vulnerabilities which send unsolicited bulk messages (spam)

AWS is committed to being responsive and keeping you informed of our progress. You will receive a non-automated response confirming receipt of your initial report within 24 hours, timely updates, and monthly check-ins throughout the engagement. You may request updates at any time, and we welcome dialogue that clarifies any concern or disclosure coordination.

The activities deemed not a vulnerability above are also out of scope for the AWS Vulnerability Disclosure Program. Conducting any of the activities mentioned above will result in disqualification from the program permanently.

If applicable, AWS will coordinate public notification of any validated vulnerability with you. Where possible, we prefer that our respective public disclosures be posted simultaneously.

In order to protect our customers, AWS requests that you not post or share information about a potential vulnerability in any public setting until we have addressed the reported vulnerability and informed customers if necessary. Also, we respectfully ask that you do not post or share any data belonging to our customers. Please note, the time required to mitigate a vulnerability is dependent upon the severity of the vulnerability and the affected systems.

AWS makes public notifications in the form of Security Bulletins, which are posted in the AWS Security website. Individuals, companies, and security teams typically post their advisories on their own websites and in other forums and when relevant, we will include links to those third-party resources in AWS Security Bulletins.  

We believe that security research performed in good faith should be provided safe harbor. For the purposes of safe harbor for security research and reporting vulnerabilities, we have adopted the Gold Standard Safe Harbor. We look forward to working with security researchers who share our passion for protecting our customers.

Gold Standard Safe Harbor supports the protection of organizations and hackers engaged in Good Faith Security Research. “Good Faith Security Research” is accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.

We consider Good Faith Security Research to be authorized activity that is protected from adversarial legal action by us. We waive any relevant restriction in our Terms of Service (“TOS”) and/or Acceptable Use Policies (“AUP”) that conflicts with the standard for Good Faith Security Research outlined here.

This means that, for activity conducted while this program is active, we:

• Will not bring legal action against you or report you for Good Faith Security Research, including for bypassing technological measures we use to protect the applications in scope; and,
• Will take steps to make known that you conducted Good Faith Security Research if someone else brings legal action against you.

You should contact us for clarification before engaging in conduct that you think may be inconsistent with Good Faith Security Research or unaddressed by our policy.

Keep in mind that we are not able to authorize security research on third-party infrastructure, and a third party is not bound by this safe harbor statement.

Once the report has been submitted, we will work to validate the reported vulnerability. If additional information is required to validate or reproduce the issue, we will work with you to obtain it. When the initial investigation is complete, results will be delivered to you along with a plan for resolution and discussion of public disclosure.

A few things to note about the process:

1. Third-Party Products: If the vulnerability is found to affect a third-party product, we will notify the owner of the affected technology. We will continue to coordinate between you and the third party. Your identity will not be disclosed to the third party without your permission.
2. Confirmation of Non-Vulnerabilities: If the issue cannot be validated, or is not found to be in scope, this will be shared with you.
3. Vulnerability Classification: We use version 3.1 of the Common Vulnerability Scoring System (CVSS) to evaluate potential vulnerabilities. The resulting score helps quantify the severity of the issue and to prioritize our response. For more information on CVSS, please reference the NVD site.

In participating in our vulnerability disclosure program in good faith, we ask that you:

• Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
• Report any vulnerability you’ve discovered promptly;
• Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
• Use only the previously mentioned channels to discuss vulnerability information with us;
• Provide us a reasonable amount of time from the initial report to resolve the issue before you disclose it publicly;
• Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
• If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a proof-of-concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
• Only interact with test accounts you own or with explicit permission from the account holder; and
  
• Do not engage in extortion.