I reported a vulnerability to Amazon last year. I got initial response within 24 hours. And follow up emails every week until it was patched. Was kind of well handled.
They don't do bug bounties though
I reported weird shit happening with SYN and PING and what I got was "how dare you insult my reports" from Paul Vixie; but I used to work for him. Ultimately I blocked all SYNs and ICMP ping inbound from Amazon addresses, spoofed or not. Problem solved. Boohoo soi disant "security researchers".