29894 policies in database
Link to program      
GoDaddy VDP logo

GoDaddy VDP

GoDaddy Vulnerability Disclosure Policy

GoDaddy’s Vulnerability Disclosure Program Terms and Conditions ("Terms") cover your participation in the Vulnerability Disclosure Program (the "Program"). By submitting any vulnerabilities to GoDaddy or otherwise participating in the Program in any manner, you agree and accept these Terms made between you and GoDaddy.com LLC (“GoDaddy,” “us” or “we”). Each Service has a separate set of terms applicable to that Service (the "Service Agreements"), to include GoDaddy’s Universal Terms of Service, all of which are incorporated by reference into these Terms. In the event of a conflict between these Terms and the Service Agreements for a particular Service, the Service Agreement control for that particular Service only.


The Program enables users to submit vulnerabilities and exploitation techniques to GoDaddy (“Submission”). No rewards will be issued for Submissions. GoDaddy may change or cancel this Program at any time, for any reason without notice.


Publicly accessible information systems, web property, or data owned, operated, or controlled by GoDaddy.

Out of scope Vulnerabilities:

GoDaddy reserves the right to add to and subtract from the Out-of-scope vulnerabilities list depending on the evaluated severity of reported vulnerabilities and risk acceptance.

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• DoS, brute force, user enumeration or DDoS attacks

• Any physical attacks against GoDaddy property or data centers

• Social Engineering, including phishing

• Email flooding

• Unconfirmed reports from automated vulnerability scanners

• Reports related to permitted password strength

• Theoretical sub-domain takeovers with no supporting evidence

• Reports exploiting the behavior of, or vulnerabilities in, outdated browsers

• Logout CSRF, forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)

• Directory listing (unless sensitive data can be found)

• Invalid or missing SPF/DKIM/DMARC records

• Blackhat SEO techniques

• Rate Limiting (Non-critical issues)

• Lack of Secure/HTTPOnly flags on non-sensitive cookies

• Generic examples of Host header attacks without evidence of the ability to target a remote victim

• Missing Security HTTP Headers (without proof of exploitability)

• Clickjacking on pages with no sensitive actions

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

What we are interested in:

• Attacks that lead to compromise of GoDaddy customer and employee data

• Widespread compromise of user accounts

• Authorization Bypass / Account Takeover

• Business logic flaws leading information disclosure and user impersonation etc.

• Remote code execution on systems and applications

• Access to administrator/superuser accounts

• Arbitrary access to a user’s sensitive data/functionality

• OS command injection, XSS, SQLi, SSRF, XXE, CSRF, Log4shell etc.

• Insecure Deserialization, SSI injection, Path Traversal, Buffer Overflow etc.

• Horizontal Privilege Escalation; Vertical Privilege Escalation; IDOR

• Cleartext submission of passwords and hardcoded credentials

Borderline Out-of-scope Vulnerabilities:

• Autocomplete attribute on web forms

• “Self” exploitation (such as Self-XSS)

• Verbose error pages (without proof of exploitability)

• Disclosure of server or software version numbers

• Use of known-vulnerable library (without proof of exploitability)

• Clickjacking / UI Redressing (without proof of exploitability)

• Content spoofing / text injection

• Tabnabbing

• Open Redirects that are not chained into a more impactful vulnerability


We may change these Terms at any time without notice. Participating in the Program after the changes become effective means you agree to the new Terms. If you don't agree to the new Terms, you must not participate in the Program.


You ARE eligible to participate in the Program if you meet all of the following criteria:

• You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer's rules for participating in this Program.

You ARE NOT eligible to participate in the Program if you meet any of the following criteria:

• Your organization does not allow you to participate in these types of programs;

• You are currently an employee of GoDaddy or a GoDaddy affiliated company, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;

• Within the six months prior to providing us your Submission you were an employee of GoDaddy or a GoDaddy affiliated company;

• You currently (or within six months prior providing to us your Submission) perform services for GoDaddy or a GoDaddy affiliated company in an external staff capacity that requires access to the GoDaddy Network, such as agency temporary worker, vendor employee, business guest, or contractor; or

• You are or were involved in any part of the development, administration, and/or execution of this Program.

• It is your responsibility to comply with any polices that your employer may have that would affect your eligibility to participate in the Program. If you are participating in violation of your employer’s policies, you may be disqualified from participating to the program. GoDaddy disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter.

There may be additional restrictions on your ability to enter depending upon your local law.


GoDaddy is not claiming any ownership rights to your Submission. However, by providing any Submission to GoDaddy, you:

• grant GoDaddy the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Submission: (i) to use, review, assess, test, and otherwise analyze your Submission; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and (iii) to feature your Submission and all of its content in connection with the marketing, sale, or promotion of this Program or other programs (including internal and external sales meetings, conference presentations, tradeshows, and screen shots of the Submission in press releases) in all media (now known or later developed);

• agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above;

• understand and acknowledge that GoDaddy may have developed or commissioned materials similar or identical to your Submission, and you waive any claims you may have resulting from any similarities to your Submission;

• understand that you are not guaranteed any compensation or credit for use of your Submission; and

• represent and warrant that your Submission is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Submission to GoDaddy.


Protecting customers is GoDaddy’s priority. We endeavor to address each Submission in a timely manner. While we are doing that, we require that Submission remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions. You can make available high-level descriptions of your research and non-reversible demonstrations after the vulnerability is fixed. We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 60 days after the vulnerability is fixed. GoDaddy will notify you when the vulnerability in your Submission is fixed.

Limited Waiver of Other Site Terms & Policies

To the extent your security research activities are inconsistent with certain restrictions in our relevant site terms and polices but are consistent with the terms of this Program, we waive those restrictions for the sole and limited purpose of permitting your security research under this Program. If your security research involves the networks, systems, information, applications, products, or services of a third party (which is not us), there is a possibility that they may pursue legal action or law enforcement notice. We cannot and do not authorize security research in the name of other entities as such testing is beyond the scope of our Program, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third-party action based on your actions. Please contact us at security@godaddy.com before engaging in conduct that may be inconsistent with or unaddressed by this Program. If in doubt, ask us first.


Other than your Submission, GoDaddy does not consider or accept unsolicited proposals or ideas, including without limitation ideas for new products, technologies, promotions, product names, product feedback and product improvements ("Unsolicited Feedback"). If you send any Unsolicited Feedback to GoDaddy through the Program or otherwise, GoDaddy makes no assurances that your ideas will be treated as confidential or proprietary.


This program have been found on Hackerone on 2022-07-18.

FireBounty © 2015-2022

Legal notices | Privacy