Amazon Vulnerability Research Program - Devices Bug Bounty Program — Scope, Rewards & How to Hack

Program Overview

Amazon Vulnerability Research Program - Devices runs a bug bounty program on HackerOne. The program has 33 in-scope assets and is managed by HackerOne's triage team.

In-Scope Assets

15h

Avg Response

81%

Efficiency

18d

Avg Bounty Time

237d

Avg Resolve

In-Scope Assets

Asset	Type	Max Severity	Eligible
1324809509	APPLE_STORE_APP_ID	Critical	Bounty
1528364633	APPLE_STORE_APP_ID	Critical	Bounty
302584613	APPLE_STORE_APP_ID	Critical	Bounty
621574163	APPLE_STORE_APP_ID	Critical	Bounty
944011620	APPLE_STORE_APP_ID	Critical	Bounty
947984433	APPLE_STORE_APP_ID	Critical	Bounty
Echo Family Devices	HARDWARE	Critical	Bounty
FireTV	HARDWARE	Critical	Bounty
Kindle E-Reader	HARDWARE	Critical	Bounty
Luna	HARDWARE	Critical	Bounty
Other	OTHER	Critical	No Bounty
Tablets	HARDWARE	Critical	Bounty
a4k.amazon.com	URL	Critical	Bounty
alexa.amazon.com	URL	Critical	Bounty
alexaanswers.amazon.com	URL	Critical	Bounty
amazon.com/hz/mycd/*	URL	Critical	Bounty
api.amazonalexa.com/*	URL	Critical	Bounty
blueprints.amazon.com	URL	Critical	Bounty
com.amazon.clouddrive.photos	GOOGLE_PLAY_APP_ID	Critical	Bounty
com.amazon.dee.alexaonwearos	GOOGLE_PLAY_APP_ID	Critical	Bounty
com.amazon.dee.app	GOOGLE_PLAY_APP_ID	Critical	Bounty
com.amazon.kindle	GOOGLE_PLAY_APP_ID	Critical	Bounty
com.amazon.storm.lightning.client.aosp	GOOGLE_PLAY_APP_ID	Critical	Bounty
com.amazon.tahoe.freetime	GOOGLE_PLAY_APP_ID	Critical	Bounty
com.amazon.tails	GOOGLE_PLAY_APP_ID	Critical	Bounty
creator.amazon.com	URL	Critical	Bounty
developer.amazon.com/alexa/*	URL	Critical	Bounty
developer.amazon.com/apps-and-games/*	URL	Critical	Bounty
https://luna.amazon.com/*	URL	Critical	Bounty
https://www.amazon.com/luna/*	URL	Critical	Bounty
read.amazon.com	URL	Critical	Bounty
skills-store.amazon.com	URL	Critical	Bounty
www.amazon.com/photos/*	URL	Critical	Bounty

Out-of-Scope Assets

"Contact Us" Functionality
Devices
Services and Apps

Tips for Hacking Amazon Vulnerability Research Program - Devices

Read the policy — Understand what's in scope, out of scope, and any specific testing restrictions before you start.
Enumerate the attack surface — Use subdomain enumeration and directory bruteforcing to map all accessible endpoints.
Focus on high-impact bugs — Look for SQL injection, SSRF, and IDOR vulnerabilities first.
Test authentication flows — Check for OAuth misconfigurations and CSRF in login/signup flows.
Write clear reports — Include steps to reproduce, impact assessment, and suggested remediation. Use Burp Suite to capture evidence.

Frequently Asked Questions

How do I start hacking Amazon Vulnerability Research Program - Devices?

Sign up on HackerOne, read the program policy carefully, review the in-scope assets listed above, and start testing. Always stay within scope and follow responsible disclosure guidelines.

Does Amazon Vulnerability Research Program - Devices pay bounties?

Yes, Amazon Vulnerability Research Program - Devices offers monetary rewards for valid security vulnerabilities.

What types of vulnerabilities does Amazon Vulnerability Research Program - Devices accept?

Amazon Vulnerability Research Program - Devices accepts reports for vulnerabilities found in their 33 in-scope assets. Common accepted vulnerability types include XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE. Check the program policy for specific exclusions.

Amazon Vulnerability Research Program - Devices Bug Bounty Program

Program Overview

In-Scope Assets

Out-of-Scope Assets

Tips for Hacking Amazon Vulnerability Research Program - Devices

Frequently Asked Questions

Similar Programs on HackerOne

Prudential Financial

23andMe Bug Bounty

BitMEX