Reporting Phishing or Spoofed E-mails to Amazon

If you receive an email purporting to be from Amazon and you are unsure if it is legitimate it may be a “phishing email” where the sender’s email address is forged or “spoofed”. Often the e-mail contains links to a website that looks like Amazon.com but is not our site. The website may ask you for your Amazon username and password or try to install unwanted software on your computer in an attempt to steal your personal information or access your computer. Other e-mails contain links that may redirect you to other potentially dangerous web sites. The message may also include attachments, which typically contain unwanted software called "malware." If you received a message like this you should delete it without clicking any links or opening any attachments.

If you wish to report an e-mail purporting to be from Amazon that you believe is a forgery, you may do so here: Report suspect e-mails to Amazon

You may also forward phishing emails and other suspected forgeries directly to stop-spoofing@amazon.com.

Vulnerability Reporting

Amazon Web Services understands and values the trust our customers place in us. We take security very seriously, and investigate all reported vulnerabilities. This page describes our practice for addressing potential vulnerabilities in any aspect of our services.

Communicating with AWS

Appropriate Use and Your Privacy

The information you share with AWS as part of this process is kept confidential within AWS. It will not be shared with third parties without your permission.

Contact Methods

Please e-mail us directly at aws-security@amazon.com to report suspected vulnerabilities. If you wish to protect your email, you may use PGP; our key is here.

Contact SLAs

AWS is committed to being responsive and keeping you informed of our progress. You will receive a non-automated response to your initial contact within 24 hours, confirming receipt of your reported vulnerability. You will receive progress updates from us at least every five working days.

The Process

Initial Contact

If you believe you have discovered a vulnerability in any AWS product, contact AWS as described above. So that we may more rapidly and effectively respond to your report, please provide any supporting material (proof-of-concept code, tool output, etc.) that would be useful in helping us understand the nature and severity of the vulnerability.

Acknowledgment

AWS will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.

Evaluation

Once the report has been reviewed, AWS will work to validate the reported vulnerability and reproduce it. If additional information is required in order to validate or reproduce the issue, AWS will work with you to obtain it. When the initial investigation is complete, results will be delivered to you along with a plan for resolution and public disclosure.

Many vendors offer products within the AWS cloud. If the vulnerability is found to affect a third party product, AWS will notify the author of the affected software. AWS will continue to coordinate between you and the third party. Your identity will not be disclosed to the third party without your permission.

Resolution

If the issue cannot be validated, or is not found to be a flaw in an AWS product, this will be shared with you.

Notification

If applicable, AWS will coordinate public notification of a validated vulnerability with you. AWS security bulletins are posted in the AWS Security Center. Individuals, companies, and security teams typically post their advisories on their own web sites and in other forums. When possible, we would prefer that our respective public disclosures be posted simultaneously.

Threat Classification

AWS uses version 2.0 of the Common Vulnerability Scoring System (CVSS) to evaluate potential reported vulnerabilities. The resulting score helps quantify the severity of the vulnerability and to prioritize our response. In addition, AWS includes CVSS base and temporal scores in our security advisories, helping customers to understand their risk and to prioritize their own responses.

For more information on CVSS, please see the CVSS-SIG announcement .

Regarding Disclosure

In order to protect our customers, AWS requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed. Also, we respectfully ask that you do not post or share any data belonging to our customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.