Amazon Bug Bounty

Are you interested in getting involved in one of the current leading bug bounty programs around? If so, then Amazon’s Bug Bounty Program is worth considering. This comprehensive program allows ethical hackers to discover and report security issues that impact a variety of Amazon products and services.

Program Overview









Minimum Reward


Maximum Reward


Average Payout


Total Payouts

$3 million


The following vulnerabilities are in scope:

  • Remote Code Execution
  • SQL Injection
  • XXE
  • XSS
  • Server-Side Request Forgery
  • Directory Traversal – Local File Inclusion
  • Authentication/Authorization Bypass (Broken Access Control)
  • Privilege Escalation
  • Insecure Direct Object Reference
  • Misconfiguration
  • Web Cache Deception
  • CORS Misconfiguration
  • CRLF Injection
  • Cross Site Request Forgery
  • Open Redirect
  • Information Disclosure
  • Request smuggling
  • Mixed Content

For more information on in-scope vulnerabilities, please visit HackerOne.

Frequently Asked Questions

Does Amazon have a bug bounty?

Yes, Amazon has a bug bounty program. Launched in 2021, the Amazon bug bounty program provides ethical hackers with a way to earn rewards for identifying vulnerabilities. For more information on Amazon’s bug bounty, please visit HackerOne.

How much does Amazon pay for bug bounty?

On average, researchers earn $4,500 for resolving a report on the Amazon bug bounty program. Factors such as severity of the vulnerability and its impact on user data can affect payout amount. For example, critical issues could result in payouts of up to $20,000.

Does AWS have a bug bounty program?

Unfortunately, Amazon Web Services (AWS) is not considered in scope as part of Amazon’s Bug Bounty Program. For vulnerabilities related to AWS, please visit the AWS Vulnerability Reporting page.