Amazon Vulnerability Research Program Bug Bounty Program

Program Overview

Amazon Vulnerability Research Program runs a bug bounty program on HackerOne. The program has 100 in-scope assets and is managed by HackerOne's triage team.

In-Scope Assets

Asset	Type	Max Severity	Eligible
*.amazon.ae	WILDCARD	Critical	Bounty
*.amazon.ca	WILDCARD	Critical	Bounty
*.amazon.cl	WILDCARD	Critical	Bounty
*.amazon.cn	WILDCARD	Critical	Bounty
*.amazon.co.jp	WILDCARD	Critical	Bounty
*.amazon.co.uk	WILDCARD	Critical	Bounty
*.amazon.co.za	WILDCARD	Critical	Bounty
*.amazon.com	WILDCARD	Critical	Bounty
*.amazon.com.au	WILDCARD	Critical	Bounty
*.amazon.com.be	WILDCARD	Critical	Bounty
*.amazon.com.br	WILDCARD	Critical	Bounty
*.amazon.com.co	WILDCARD	Critical	Bounty
*.amazon.com.mx	WILDCARD	Critical	Bounty
*.amazon.com.ng	WILDCARD	Critical	Bounty
*.amazon.com.tr	WILDCARD	Critical	Bounty
*.amazon.de	WILDCARD	Critical	Bounty
*.amazon.eg	WILDCARD	Critical	Bounty
*.amazon.es	WILDCARD	Critical	Bounty
*.amazon.fr	WILDCARD	Critical	Bounty
*.amazon.in	WILDCARD	Critical	Bounty
*.amazon.it	WILDCARD	Critical	Bounty
*.amazon.nl	WILDCARD	Critical	Bounty
*.amazon.pl	WILDCARD	Critical	Bounty
*.amazon.sa	WILDCARD	Critical	Bounty
*.amazon.se	WILDCARD	Critical	Bounty
*.amazon.sg	WILDCARD	Critical	Bounty
1057338687	APPLE_STORE_APP_ID	Critical	Bounty
1151746202	APPLE_STORE_APP_ID	Critical	Bounty
1265170914	APPLE_STORE_APP_ID	Critical	Bounty
1276296103	APPLE_STORE_APP_ID	Critical	Bounty
1454725763	APPLE_STORE_APP_ID	Critical	Bounty
1475021574	APPLE_STORE_APP_ID	Critical	Bounty
1478350915	APPLE_STORE_APP_ID	Critical	Bounty
1494755014	APPLE_STORE_APP_ID	Critical	Bounty
1498197033	APPLE_STORE_APP_ID	Critical	Bounty
1532153219	APPLE_STORE_APP_ID	Critical	Bounty
1552455423	APPLE_STORE_APP_ID	Critical	Bounty
1579372261	APPLE_STORE_APP_ID	Critical	Bounty
1592204907	APPLE_STORE_APP_ID	Critical	Bounty
1659883691	APPLE_STORE_APP_ID	Critical	Bounty
297606951	APPLE_STORE_APP_ID	Critical	Bounty
335187483	APPLE_STORE_APP_ID	Critical	Bounty
342576766	APPLE_STORE_APP_ID	Critical	Bounty
348712880	APPLE_STORE_APP_ID	Critical	Bounty
358861688	APPLE_STORE_APP_ID	Critical	Bounty
374254473	APPLE_STORE_APP_ID	Critical	Bounty
510855668	APPLE_STORE_APP_ID	Critical	Bounty
545519333	APPLE_STORE_APP_ID	Critical	Bounty
6444868926	APPLE_STORE_APP_ID	Critical	Bounty
6452192521	APPLE_STORE_APP_ID	Critical	Bounty

Showing 50 of 100 in-scope assets. View all on HackerOne.

Out-of-Scope Assets

• "Contact Us" Functionality
• *.*a2z*.*
• *.aws.*
• *.dev
• AWS and AWS customer assets are strictly out of scope
• Amazon Web Services (AWS)
• Anything considered a non-prod asset
• Anything which redirects to AWS
• amazongames.com
• learning.logistics.amazon.com

Tips for Hacking Amazon Vulnerability Research Program

1. Read the policy — Understand what's in scope, out of scope, and any specific testing restrictions before you start.
2. Enumerate the attack surface — Use subdomain enumeration and directory bruteforcing to map all accessible endpoints.
3. Focus on high-impact bugs — Look for SQL injection, SSRF, and IDOR vulnerabilities first.
4. Test authentication flows — Check for OAuth misconfigurations and CSRF in login/signup flows.
5. Write clear reports — Include steps to reproduce, impact assessment, and suggested remediation. Use Burp Suite to capture evidence.

Frequently Asked Questions

How do I start hacking Amazon Vulnerability Research Program?

Sign up on HackerOne, read the program policy carefully, review the in-scope assets listed above, and start testing. Always stay within scope and follow responsible disclosure guidelines.

Does Amazon Vulnerability Research Program pay bounties?

Yes, Amazon Vulnerability Research Program offers monetary rewards for valid security vulnerabilities.

What types of vulnerabilities does Amazon Vulnerability Research Program accept?

Amazon Vulnerability Research Program accepts reports for vulnerabilities found in their 100 in-scope assets. Common accepted vulnerability types include XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE. Check the program policy for specific exclusions.