AWS VDP Vulnerability Disclosure Program

Program Overview

AWS VDP runs a vulnerability disclosure program on HackerOne. The program has 558 in-scope assets and is managed by HackerOne's triage team.

In-Scope Assets

Asset	Type	Max Severity	Eligible
*.agscollab.com	OTHER	Critical	No Bounty
*.agslauncher.com	OTHER	Critical	No Bounty
*.amazongames.com	OTHER	Critical	No Bounty
*.aws.dev	OTHER	Critical	No Bounty
*.cloudendure.com	OTHER	Critical	No Bounty
*.gaming.amazon.com	OTHER	Critical	No Bounty
*.lambda-url.*.on.aws	OTHER	Critical	No Bounty
*.lostark.games.aws.dev	WILDCARD	High	No Bounty
*.newworld.com	OTHER	Critical	No Bounty
*.people.aws.com	OTHER	Low	No Bounty
*.people.aws.dev	OTHER	Low	No Bounty
*.sa.aws.dev	OTHER	None	No Bounty
*.tsologic.com	OTHER	Critical	No Bounty
*.workshops.aws.dev	OTHER	Medium	No Bounty
1023499075	APPLE_STORE_APP_ID	Critical	No Bounty
AWS - Cloud Shell	OTHER	Critical	No Bounty
AWS Account Management	OTHER	Critical	No Bounty
AWS Activate	OTHER	Critical	No Bounty
AWS Amplify	OTHER	Critical	No Bounty
AWS App Mesh	OTHER	Critical	No Bounty
AWS App Runner	OTHER	Critical	No Bounty
AWS App Studio	OTHER	Critical	No Bounty
AWS App2Container	OTHER	Critical	No Bounty
AWS AppConfig	OTHER	Critical	No Bounty
AWS AppFabric	OTHER	Critical	No Bounty
AWS AppSync	OTHER	Critical	No Bounty
AWS Application Auto Scaling	OTHER	Critical	No Bounty
AWS Application Composer	OTHER	Critical	No Bounty
AWS Application Cost Profiler	OTHER	Critical	No Bounty
AWS Application Cost Profiler Service	OTHER	Critical	No Bounty
AWS Application Discovery Service	OTHER	Critical	No Bounty
AWS Application Migration Service	OTHER	Critical	No Bounty
AWS Application Transformation Service	OTHER	Critical	No Bounty
AWS Artifact	OTHER	Critical	No Bounty
AWS Audit Manager	OTHER	Critical	No Bounty
AWS Auto Scaling	OTHER	Critical	No Bounty
AWS B2B Data Interchange	OTHER	Critical	No Bounty
AWS Backint Agent	OTHER	Critical	No Bounty
AWS Backup	OTHER	Critical	No Bounty
AWS Batch	OTHER	Critical	No Bounty
AWS Billing	OTHER	Critical	No Bounty
AWS Billing and Cost Management	OTHER	Critical	No Bounty
AWS Blockchain Templates	OTHER	Critical	No Bounty
AWS Budget Service	OTHER	Critical	No Bounty
AWS BugBust	OTHER	Critical	No Bounty
AWS Builder ID	OTHER	Critical	No Bounty
AWS Certificate Manager	OTHER	Critical	No Bounty
AWS Certificate Manager (ACM)	OTHER	Critical	No Bounty
AWS Chalice	OTHER	Critical	No Bounty
AWS Chatbot	OTHER	Critical	No Bounty

Showing 50 of 558 in-scope assets. View all on HackerOne.

Out-of-Scope Assets

• https://*.amazonaws.com/*

Tips for Hacking AWS VDP

1. Read the policy — Understand what's in scope, out of scope, and any specific testing restrictions before you start.
2. Enumerate the attack surface — Use subdomain enumeration and directory bruteforcing to map all accessible endpoints.
3. Focus on high-impact bugs — Look for SQL injection, SSRF, and IDOR vulnerabilities first.
4. Test authentication flows — Check for OAuth misconfigurations and CSRF in login/signup flows.
5. Write clear reports — Include steps to reproduce, impact assessment, and suggested remediation. Use Burp Suite to capture evidence.

Frequently Asked Questions

How do I start hacking AWS VDP?

Sign up on HackerOne, read the program policy carefully, review the in-scope assets listed above, and start testing. Always stay within scope and follow responsible disclosure guidelines.

Does AWS VDP pay bounties?

No, AWS VDP runs a Vulnerability Disclosure Program (VDP) without monetary rewards. You may receive recognition or swag.

What types of vulnerabilities does AWS VDP accept?

AWS VDP accepts reports for vulnerabilities found in their 558 in-scope assets. Common accepted vulnerability types include XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE. Check the program policy for specific exclusions.