I've in the past found and reported two acutely critical bugs to AWS, directly to the devs for the product, who in one case had a fix out in about six hours (the other in the next patch release, I recall).

I can't even think about how much damage was prevented.

Response from AWS? zilch. Nothing. Nada. They don't have a bug bounty problem. I doubt they even know, beyond the devs who made the fixes, the information came from outside.

I've found other bugs, which I've tried reporting to Support. That usually goes nowhere, even after months of effort; Support have a superficial understanding of the product, and don't seem to be able to much *think* for themselves you get rote and rigid responses. After six months of trying to explain one particular bug I gave up trying.

I don't report bugs any more. It's costs me time and money to find them, they're problematic to report, and AWS either haven't thought about it, or expect them for free. In any event I assert by their actions - the lack of a bounty program, and the difficultly in reporting to Support - they do not take security and reliability seriously.

Of course, Amazon *says* it goes - but what else are they going to say?

Amazon also says the customer is the center of everything they do, and I've seen a number of large companies say that, and when a large company begins to say that, that's when it has *definitively* stopped putting the customer first.

Trivial example : after one year, support cases are *silently* deleted. I had an archive of material I wanted to examine, to check for any interesting information, and when I went to them, half were gone. I contacted Support. They explained this is documented (it is - one sentence in a vast FAQ, below a question about finding AWS docs in Japanese), that there was nothing they could or would do, and closed the support case, without giving me the opportunity to even reply.

You'd have to come away from that thinking they just don't care.

I actually stopped using Amazon about a year ago, after El Reg produced a report on the working conditions in their warehouses.

I stopped paying from AWS Support a year or two before that; Support for individual developers is almost free, there's a token charge only, but, I'm sad to say, Support wasn't worth *having*, regardless of the price. The Support was normally irrelevant, wrong, incredibly difficult to get anywhere and if you start to ask questions they don't want to answer, Support will *actively* misled you, so that you *think* you're being answered, when in fact what you're being told is incorrect *and they know it*. I was seriously unimpressed with that once I realised it was happening.

