Banner object (1)

Hack and Take the Cash !

800 bounties in database
  Back Link to program      
DigitalOcean logo
Hall of Fame


In Scope

Scope Type Scope Name
web_application *
web_application DigitalOcean products associated with an account you created (e.g. droplets, load balancers, etc.)


We care about creating a safe, resilient environment where our customers and community can innovate with confidence.


We use theBugcrowd Vulnerability Rating Taxonomy for the initial prioritization of findings. However, we will modify a report's rating in some cases due it's potential likelihood or impact. If we downgrade a report we will provide a full, detailed explanation will be provided to the researcher (who has an opportunity to appeal.)

NOTE: Additional rewards may be awarded for particularly significant and/or complex issues.

Reward Range

Last updated 8 Mar 2019 18:52:12 UTC

Technical severity | Reward range
p1 Critical | Up to: $5,000
p2 Severe | Up to: $2,500
p3 Moderate | Up to: $500
p4 Low | Up to: $150

P5 submissions do not receive any rewards for this program.


In scope

Target name | Type
<> | Website
<> | API
* | API
DigitalOcean products associated with an account you created (e.g. droplets, load balancers, etc.) | Website

Focus Areas

We are particularly interested in:

  • Issues that result in full compromise of a system (RCE, Sandbox escapes, etc.)
  • Business logic bypasses resulting in significant impact

Scope Exclusions

All other DigitalOcean domains or properties not listed are out of scope, including subdomains. All domains or properties hosted on DigitalOcean and controlled by third parties are out of scope (e.g. customer droplets, content stored in customer-owned spaces, etc.).

Additionally, we're not interested in the following types of results:

  • Support tickets (due to the load on our support teams--please DO NOT perform any testing on, or create any, support tickets. Thanks!)
  • Rate limit bypasses, with the exception of those that have a direct security impact
  • Missing SPF/DMARC/DKIM settings on non-email DigitalOcean domains.
  • Publicly known processor sidechannel attacks
  • Any physical attempts against DigitalOcean property or data centers
  • Social engineering / phishing
  • DigitalOcean corporate infrastructure

If you have discovered a significant out-of-scope issue, please contact us directly at


Attributes of a Good Report

We expect that issue reports contain:

  • Detailed steps for reproducing the issue. We prefer detailed steps over videos, though you can include any information you think we will find valuable.
  • If you were logged into a DigitalOcean account while performing the attack, please include account information in the report; this information makes certain issues much easier to debug.


When registering an account, please use your email address. For more info regarding @bugcrowdninja email addresses, see here.

If you are testing with an account that does not use a @bugcrowdninja email address, we may take action against it for perceived malicious activity (account locks, bans, etc.).

Responsible Disclosure

DigitalOcean appreciates the contributions made by the security research community. We will not take legal action against nor ask law enforcement to investigate researchers who:

  • Share with us the full details of the issue, including any information needed to reproduce it.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
  • Do not attempt to modify, damage, or access data that does not belong to you.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

FireBounty © 2015-2019

Legal notices