AWS needs a bug bounty program

Andreas Wittig – 17 Sep 2020

A few weeks ago, while evaluating an AWS service, I stumbled upon an issue with the way the AWS API evaluates IAM policies for a particular IAM action. I contacted aws-security@amazon.com about that and was positively surprised about the professionalism in which the team handled my request. In the end, my reported issue was classified as a won’t fix. AWS updated the documentation to clarify the behavior. Fine!

AWS is missing a bug bounty program

The whole process made me think about how AWS handles vulnerability reports from its customers and ethical hackers. And I realized that AWS does not offer a bug bounty program. That’s a poor choice, in my opinion.

What?

What is a bug bounty program? The deal is simple. An individual reports a bug to an organization and receives compensation in return. Most often, those bug bounty programs focus on security exploits and vulnerabilities. The bug bounty program sets the rules for reporting a bug and receiving compensation, typically based on severity. For example, when reporting a bug that could lead to remote code execution on Azure, Microsoft will pay you up to $40,000.1

Cover of Rapid Docker on AWS

Become a Docker on AWS professional!

Our book Rapid Docker on AWS is designed for DevOps engineers and web developers who want to run dockerized web applications on AWS. We lead you with many examples: From dockerizing your application to Continuous Deployment and Infrastructure as Code on AWS. No prior knowledge of Docker and AWS is required. Get the first chapter for free!

Why?

In my opinion, having a public bug bounty program is essential for two reasons:

  1. Filing a high-quality bug report is a lot of work. Customers who do the extra work of reporting their observations should be compensated. Otherwise, some bugs will never be reported.
  2. Attracting independent security experts - some call them ethical hackers - to uncover vulnerabilities provides an extra layer of protection.

I can’t find a reason for not having a bug bounty program.

Bug Bounty Program?

Let’s compare the major cloud providers

✅ Yes ❌ No
✅ Microsoft Azure1 ❌ Amazon Web Services
✅ Google Cloud Platform2 ❌ Oracle Cloud
✅ Alibaba Cloud3 ❌ IBM Cloud4
✅ Tencent Cloud5

Four of seven cloud providers offer a bug bounty program. Unfortunately, the market leader Amazon Web Services, does not. Even though AWS never misses an opportunity to assure security is their top priority. If these are not empty promises, I expect AWS to launch a bug bounty program soon!


  1. 1. https://www.microsoft.com/en-us/msrc/bounty-microsoft-azure
  2. 2. https://www.google.com/about/appsecurity/reward-program/
  3. 3. https://hackerone.com/alibaba
  4. 4. https://hackerone.com/ibm but does not offer any bounties
  5. 5. https://hackerone.com/tencent

Become a cloudonaut supporter

Andreas Wittig

Andreas Wittig ( Email, Twitter, or LinkedIn )

We launched the cloudonaut blog in 2015. Since then, we have published 360 articles, 50 podcast episodes, and 48 videos. It's all free and means a lot of work in our spare time. We enjoy sharing our AWS knowledge with you.

Please support us

Have you learned something new by reading, listening, or watching our content? With your help, we can spend enough time to keep publishing great content in the future. Learn more

$
Amount must be a multriply of 5. E.g, 5, 10, 15.

Thanks to Alan Leech, Alex DeBrie, ANTHONY RAITI, Christopher Hipwell, Jaap-Jan Frans, Jason Yorty, Jeff Finley, Jens Gehring, jhoadley, Johannes Grumböck, Johannes Konings, John Culkin, Jonas Mellquist, Juraj Martinka, Kamil Oboril, Ken Snyder, Markus Ellers, Ross Mohan, Ross Mohan, sam onaga, Satyendra Sharma, Shawn Tolidano, Simon Devlin, Thorsten Hoeger, Todd Valentine, Victor Grenu, and all anonymous supporters for your help! We also want to thank all supporters who purchased a cloudonaut t-shirt.