DuckDuckGo is an Internet privacy company that empowers you to seamlessly take
control of your personal information online, without any tradeoffs. With our
roots as "the search engine that doesn’t track you", we’ve expanded what we do
to protect you no matter where the Internet takes you.
We're committed to set the new standard of trust online, and we look forward
to working with the security community to find security vulnerabilities in
order to keep our users safe. Check out more about us on
DuckDuckGo will make a best effort to meet the following SLAs for hackers
participating in our program:
- Time to first response (from report submission) - 2 business days
- Time to triage (from first response) - 2 business days
- Time to resolution - depends on severity and complexity.
We’ll try to keep you informed about our progress throughout the process.
- Follow HackerOne's disclosure guidelines __.
- Please do not discuss vulnerabilities (even resolved ones) outside of the program without express consent from DuckDuckGo.
- Please provide detailed reports with reproducible steps.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid destruction of data, and interruption or degradation of our service.
- When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.
We are not offering monetary bounties at this time, however, we would love to
send you some swag for valid submissions.
Out of scope vulnerabilities
The following issues are considered out of scope:
- Open redirect reports.
- Open proxy reports.
- SSRF on proxy reports.
- Clickjacking on pages with no sensitive actions.
- Previously known vulnerable libraries without a working Proof of Concept.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Self-XSS without a plausible attack vector.
Thank you for helping keep DuckDuckGo and our users safe!
Hall of Fame