Amazon Web Services takes security very seriously, and investigates all reported vulnerabilities. This page describes our practice for addressing potential vulnerabilities in any aspect of our cloud services.
Reporting Suspected Vulnerabilities
- Amazon.com (Retail): If you have a security concern with Amazon.com (Retail), Seller Central, Amazon Payments, or other related issues such as suspicious orders, invalid credit card charges, suspicious emails, or vulnerability reporting, please visit our Security for Retail webpage.
- Amazon Web Services (AWS): If you would like to report a vulnerability or have a security concern regarding AWS cloud services, please email email@example.com. If you wish to protect your email, you may use our PGP key.
If you suspect that AWS resources (such as an EC2 instance or S3 bucket) are being used for suspicious activity, you can report it to the AWS Abuse Team.
So that we may more effectively respond to your report, please provide any supporting material (proof-of-concept code, tool output, etc.) that would be useful in helping us understand the nature and severity of the vulnerability.
The information you share with AWS as part of this process is kept confidential within AWS. It will not be shared with third parties without your permission.
AWS will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.
Evaluation By AWS
Once the report has been submitted, AWS will work to validate the reported vulnerability. If additional information is required in order to validate or reproduce the issue, AWS will work with you to obtain it. When the initial investigation is complete, results will be delivered to you along with a plan for resolution and public disclosure.
A few things to note about the AWS evaluation process:
- Third-Party Products: Many vendors offer products within the AWS cloud. If the vulnerability is found to affect a third party product, AWS will notify the author of the affected software. AWS will continue to coordinate between you and the third party. Your identity will not be disclosed to the third party without your permission.
- Confirmation of Non-Vulnerabilities: If the issue cannot be validated, or is not found to be a flaw in an AWS product, this will be shared with you.
- Vulnerability Classification: AWS uses version 2.0 of the Common Vulnerability Scoring System (CVSS) to evaluate potential vulnerabilities. The resulting score helps quantify the severity of the issue and to prioritize our response. For more information on CVSS, please see the CVSS-SIG announcement.
AWS is committed to being responsive and keeping you informed of our progress as we investigate and / or mitigate your reported security concern. You will receive a non-automated response to your initial contact within 24 hours, confirming receipt of your reported vulnerability. You will receive progress updates from us at least every five working days.
If applicable, AWS will coordinate public notification of a validated vulnerability with you. When possible, we would prefer that our respective public disclosures be posted simultaneously.
In order to protect our customers, AWS requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed. Also, we respectfully ask that you do not post or share any data belonging to our customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.
AWS public notifications are in the form of Security Bulletins, which are posted in the AWS Security Center. Individuals, companies, and security teams typically post their advisories on their own web sites and in other forums and when relevant, we will include links to those third-party resources in AWS security bulletins.