Bug Bounties

Amazon Vulnerability Research Program

Powered by: 

Allows bounty splitting: 

Average time to first program response: 3

Average time to bounty awarded null: 341

Average time to report resolved: 1412

Handle amazonvrp

Managed program: true

Name: Amazon Vulnerability Research Program

Offers bounties: true

Offers swag: false

Response efficiency percentage: 100

Submission state: open

Url: https://hackerone.com/amazonvrp

Website: https://www.amazon.com

In scope:

  • Asset identifier: 297606951
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: 
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: Amazon Retail Subsidiaries (Please only actively test explicitly stated scope)
  • Asset type: OTHER
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: Other Amazon Retail Assets (Please only actively test explicitly stated scope)
  • Asset type: OTHER
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: Other Amazon Retail Mobile Apps (Please only actively test explicitly stated scope)
  • Asset type: OTHER
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: Other Amazon Retail Sites (Please only actively test explicitly stated scope)
  • Asset type: OTHER
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: affiliate-program.amazon.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: apay-us.amazon.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: api.amazon.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: chat.amazon.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: com.amazon.mShop.android.shopping
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: 
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: flex.amazon.*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Full list of international TLDs in scope: http://flex.amazon.com.mx http://flex.amazon.fr http://flex.amazon.de
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: freight.amazon.*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Full list of international TLDs in scope: http://freight.amazon.com http://freight.amazon.de http://freight.amazon.co.uk
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: fresh.amazon.*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Full list of international TLDs in scope: http://fresh.amazon.com
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: http://www.amazon.com/cpe/yourpayments/wallet
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: https://amazonpay.amazon.in/*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: https://www.amazon.com/amazoncash
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: https://www.amazon.com/dppui/*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: https://www.amazon.com/gp/buy/*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: https://www.amazon.in/wealth/*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: This domain has some functionality that resides with Amazon which is what should be tested. It also acts as a wrapper for amazonpay.kuvera.in which is not in scope.
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: https://www.amazonpay.in/*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: logistics.amazon.*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Full list of international TLDs in scope: http://logistics.amazon.com.mx http://logistics.amazon.ca http://logistics.amazon.co.jp http://logistics.amazon.fr http://logistics.amazon.com.au
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: manufacturing.amazon.*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Full list of international TLDs in scope: http://manufacturing.amazon.com
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: manufacturing.amazon.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: music.amazon.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Full list of international TLDs in scope: http://music.amazon.com http://music.amazon.com.br http://music.amazon.com.mx http://music.amazon.ca http://music.amazon.in http://music.amazon.co.jp http://music.amazon.fr http://music.amazon.de http://music.amazon.it http://music.amazon.es http://music.amazon.co.uk http://music.amazon.com.au
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: org.amazon.*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Full list of international TLDs in scope: http://org.amazon.com http://org.amazon.de http://org.amazon.co.uk
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: pay.amazon.*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Full list of international TLDs in scope: http://pay.amazon.in http://pay.amazon.co.jp http://pay.amazon.fr http://pay.amazon.de http://pay.amazon.it http://pay.amazon.es http://pay.amazon.co.uk
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: payments.amazon.*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: All international TLDs in scope: * https://payments.amazon.com * https://payments.amazon.co.uk * https://payments.amazon.co.jp * https://payments.amazon.ie How to Login: * For US, go to https://pay.amazon.com * Login with your amazon credentials after selecting “Sign-in with your Shoppers amazon account”. You will be redirected to orders page (https://payments.amazon.com/jr/your-account/orders) where you can see you Amazon Pay transactions. * If you do not see any transactions, you need to make a transaction using Amazon Pay with a seller. Once the transaction is complete, you can find orders and transactions in this page. * You can follow the same steps for other marketplace
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: photos.amazon.*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Full list of international TLDs in scope: http://photos.amazon.com http://photos.amazon.com.br http://photos.amazon.ca http://photos.amazon.cn http://photos.amazon.co.jp http://photos.amazon.fr http://photos.amazon.de http://photos.amazon.it http://photos.amazon.es http://photos.amazon.co.uk http://photos.amazon.com.au
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: prime.amazon.*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Full list of international TLDs in scope: http://prime.amazon.com http://prime.amazon.co.jp
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: primenow.amazon.*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Full list of international TLDs in scope: http://primenow.amazon.com http://primenow.amazon.ca http://primenow.amazon.co.jp http://primenow.amazon.fr http://primenow.amazon.de http://primenow.amazon.it http://primenow.amazon.es http://primenow.amazon.co.uk
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: shopbylook.amazon.*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Full list of international TLDs in scope: http://shopbylook.amazon.com
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: smile.amazon.*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Full list of international TLDs in scope: http://smile.amazon.com http://smile.amazon.de http://smile.amazon.co.uk
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: track.amazon.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: www.amazon.*
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: All international retail marketplaces * Brazil: www.amazon.com.br * Canada: www.amazon.ca * Mexico: www.amazon.com.mx * United States: www.amazon.com * China: www.amazon.cn * India: www.amazon.in * Japan: www.amazon.co.jp * Singapore: www.amazon.sg * Turkey: www.amazon.com.tr * United Arab Emirates: www.amazon.ae * France: www.amazon.fr * Germany: www.amazon.de * Italy: www.amazon.it * Netherlands: www.amazon.nl * Spain: www.amazon.es * Sweden: www.amazon.se * United Kingdom: www.amazon.co.uk * Australia: www.amazon.com.au
  • Integrity requirements: 
  • Max severity: critical