[kerng]

It's not, I still have the email exchange from a couple years back - I thought of posting it somewhere because it was so odd, but I dont have a blog and I am not interested in publicity.

Amazon still doesn't offer a bug bounty program to my knowledge. Also, it's the only cloud provider my active security researcher friends tell me that attempts to regulate them by some weird pen test authorization requirements which are very foreign to industry standards of other cloud providers.

I'm just on the side lines watching, but there is a difference of how transparent AWS vs. GCP vs. Azure are when it comes to security. GCP > Azure > AWS

[WrtCdEvrydy]

> pen test authorization requirements

Yes, we don't want people to publicize when we fuck up so we'd rather just NDA them to death when they tell us about bugs.

Edit: If you don't accept, we just use the hacking laws in the US to silence you.

[lawnchair_larry]

Well, you’re not entitled to conduct attacks on them at all, so why shouldn’t the terms be up to them?

[Drdrdrq]

This sounds.. awful. I'm sure there are reasons, but hiding information this way makes you seem incompetent and unsure of yourself (you as Amazon, not you personally) in my eyes.

Edit: I assume you are speaking as employee of Amazon of course, which is not necessarily true.

[lawnchair_larry]

There’s no way that would be their reason.

[diogenescynic]

Pretty sure they do: https://www.amazon.jobs/en/jobs/750254/security-engineer-ii-... And: https://aws.amazon.com/security/vulnerability-reporting/

[kerng]

It's just reporting, no payouts.