Banner object (1)

Hack and Take the Cash !

722 bounties in database
21/02/2017
DigitalOcean logo

Reward

DigitalOcean

We care about creating a safe, resilient environment where our customers and community can innovate with confidence.

Ratings/Rewards

We use theBugcrowd Vulnerability Rating Taxonomy for the initial prioritization of findings. However, we will modify a report's rating in some cases due it's potential likelihood or impact. If we downgrade a report we will provide a full, detailed explanation will be provided to the researcher (who has an opportunity to appeal.)

NOTE: Additional rewards may be awarded for particularly significant and/or complex issues.

Reward Range

Last updated 8 Mar 2019 18:52:12 UTC

Technical severity | Reward range
---|---
p1 Critical | Up to: $5,000
p2 Severe | Up to: $2,500
p3 Moderate | Up to: $500
p4 Low | Up to: $150

P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
<https://cloud.digitalocean.com> | Website
<https://api.digitalocean.com> | API
*.digitaloceanspaces.com | API

Focus Areas

We are particularly interested in:

  • Issues that result in full compromise of a system (RCE, Sandbox escapes, etc.)
  • Business logic bypasses resulting in significant impact

Responsible Disclosure

DigitalOcean appreciates the contributions made by the security research community. We will not take legal action against nor ask law enforcement to investigate researchers who:

  • Share with us the full details of the issue, including any information needed to reproduce it.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
  • Do not attempt to modify, damage, or access data that does not belong to you.

Attributes of a Good Report

We expect that issue reports contain:

  • Detailed steps for reproducing the issue. We prefer detailed steps over videos, though you can include any information you think we will find valuable.
  • If you were logged into a DigitalOcean account while performing the attack, please include account information in the report; this information makes certain issues much easier to debug.

Targets

https://cloud.digitalocean.com

Website

https://api.digitalocean.com

API

*.digitaloceanspaces.com

API

DigitalOcean products associated with an account you created (e.g.

droplets, load balancers, etc.)

Documentation

All other DigitalOcean domains or properties not listed are out of scope, including subdomains. All domains or properties hosted on DigitalOcean and controlled by third parties are out of scope (e.g. customer droplets, content stored in customer-owned spaces, etc.)

If you have discovered a significant out-of-scope issue, please contact security@digitalocean.com.

Access

When registering an account, please use your username@bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.

If you are testing with an account that does not use a @bugcrowdninja email address, we may take action against it for perceived malicious activity (account locks, bans, etc.).

Program Exclusions

  • Support tickets (due to the load on our support teams--please DO NOT perform any testing on, or create any, support tickets. Thanks!)
  • Rate limit bypasses, with the exception of those that have a direct security impact
  • Missing SPF/DMARC/DKIM settings on non-email DigitalOcean domains.
  • Publicly known processor sidechannel attacks
  • Any physical attempts against DigitalOcean property or data centers
  • Social engineering / phishing
  • DigitalOcean corporate infrastructure

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019