|Scope Type||Scope Name|
|web_application||DigitalOcean products associated with an account you created (e.g. droplets, load balancers, etc.)|
We care about creating a safe, resilient environment where our customers and community can innovate with confidence.
We use theBugcrowd Vulnerability Rating Taxonomy for the initial prioritization of findings. However, we will modify a report's rating in some cases due it's potential likelihood or impact. If we downgrade a report we will provide a full, detailed explanation will be provided to the researcher (who has an opportunity to appeal.)
NOTE: Additional rewards may be awarded for particularly significant and/or complex issues.
Last updated 8 Mar 2019 18:52:12 UTC
Technical severity | Reward range
p1 Critical | Up to: $5,000
p2 Severe | Up to: $2,500
p3 Moderate | Up to: $500
p4 Low | Up to: $150
P5 submissions do not receive any rewards for this program.
Target name | Type
<https://cloud.digitalocean.com> | Website
<https://api.digitalocean.com> | API
*.digitaloceanspaces.com | API
DigitalOcean products associated with an account you created (e.g. droplets,
load balancers, etc.) | Website
We are particularly interested in:
All other DigitalOcean domains or properties not listed are out of scope, including subdomains. All domains or properties hosted on DigitalOcean and controlled by third parties are out of scope (e.g. customer droplets, content stored in customer-owned spaces, etc.).
Additionally, we're not interested in the following types of results:
If you have discovered a significant out-of-scope issue, please contact us directly at email@example.com.
We expect that issue reports contain:
When registering an account, please use your firstname.lastname@example.org email address. For more info regarding @bugcrowdninja email addresses, see here.
If you are testing with an account that does not use a @bugcrowdninja email address, we may take action against it for perceived malicious activity (account locks, bans, etc.).
DigitalOcean appreciates the contributions made by the security research community. We will not take legal action against nor ask law enforcement to investigate researchers who:
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.