DataDome Bot Bounty
The goal of this program is to find ways to bypass DataDome bot protection by implementing a scraping bot against our dedicated test environments. Reports about configuration weaknesses, information disclosure, or web application vulnerabilities are out of scope for this program.
All scenarios require scraping real content from a single IP address. The minimum threshold to qualify is 30,000 allowed requests confirmed in the DataDome Dashboard.
The report should contain:
A description of the attack vector used and the protection mechanism being bypassed.
The complete, runnable code to reproduce the scenario.
The single IP address used during the attack.
The scraped content in the form of hashes contained in the page from the scraped pages (not hashes of the raw HTML files themselves) and HTTP requests return code (must be 200). This flag has the form pagehash_<random_hash> (for example pagehash_b94337d90dafb27683afac39d2a24b3c)
A CSV file with two columns: the page URL and its associated hash
The scraping speed (in hits per sec.)
We verify all findings using the DataDome Dashboard Explore section. To qualify, we must observe at least 30,000 allowed requests from your declared IP within the stated time window. We will share a screenshot to confirm or reject the finding. Reports that do not meet this threshold will be closed regardless of the technique described.
Reference: https://docs.datadome.co/docs/how-to-explore-your-data
Page hashes are the only valid proof of real content. Regardless of the HTTP status code returned, only requests that yield a valid pagehash_<random_hash> extracted from the page content count as bypassed.
Obtaining a DataDome cookie is not a bypass. Acquiring a cookie from any DataDome endpoint does not qualify on its own. Proof must include the full CSV of page hashes and Dashboard-confirmed allowed requests.
Scraping of static assets or URLs excluded from protection by configuration does not qualify. Only requests to protected content count toward the volume threshold.
Findings on DataDome supporting infrastructure only qualify as part of a demonstrated bypass. Any observation on endpoints outside the three target environments, including design characteristics of those endpoints, must be directly linked to a successful scraping scenario meeting the volume thresholds above. Informational findings will not be rewarded
A report is a duplicate if a previously accepted report identified the same root bypass mechanism, even if the implementation differs. Variants of a known technique that share the same underlying evasion logic will be closed as duplicates.
If the same attack vector bypasses protection across multiple target domains, only one report will be accepted and rewarded.
| Scope Type | Scope Name |
|---|---|
| api | api-js.datadome.co |
| web_application | https://bounty-nodejs.datashield.co |
| web_application | https://bounty-fastly.datashield.co |
| web_application | https://bounty-nginx.datashield.co |
| web_application | *.captcha-delivery.com |
| web_application | js.datadome.co |
| Scope Type | Scope Name |
|---|---|
| undefined | Distributed attacks (scraping must be performed from a single IP at a time) |
| undefined | Denial of service attacks or any technique whose goal is to degrade infrastructure availability. This falls outside the scope of bot protection bypass and will not be rewarded. |
| undefined | Social engineering of DataDome employees or contractors |
| web_application | Client-side web vulnerabilities |
Firebounty have crawled on 2024-01-17 the program DataDome Bot Bounty on the platform Yeswehack.
FireBounty © 2015-2026
