FireBounty
52235 policies in database
Link to program      
2018-08-14
2019-08-06
DuckDuckGo logo
Thank
Gift
HOF
Reward

DuckDuckGo

DuckDuckGo is the Internet privacy company for everyone who wants to take back their privacy online now. For over a decade, we've built features, created new technology, and worked with policymakers to make online privacy simple and accessible for all. Our product is one supercharged app with multiple types of privacy protection: Private Search, Web and App Protection, Email Protection, & more.

We're committed to set the new standard of trust online, and we look forward to working with the security community to find security vulnerabilities in order to keep our users safe. Check out more about us on https://duckduckgo.com.

SLA

DuckDuckGo will make a best effort to meet the following SLAs for hackers participating in our program:

  • Time to first response (from report submission) - 2 business days

  • Time to triage (from first response) - 2 business days

  • Time to resolution - depends on severity and complexity.

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

  • Follow HackerOne's disclosure guidelines.

  • Please do not discuss vulnerabilities (even resolved ones) outside of the program without express consent from DuckDuckGo.

Program Rules

  • Please provide detailed reports with reproducible steps.

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.

  • Make a good faith effort to avoid destruction of data, and interruption or degradation of our service.

  • When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.

Rewards

We are not offering monetary bounties at this time, however, we would love to send you some swag for valid submissions.

Out of scope vulnerabilities

The following issues are considered out of scope:

  • Open proxy reports.

  • SSRF on proxy reports.

  • Clickjacking on pages with no sensitive actions.

  • Previously known vulnerable libraries without a working Proof of Concept.

  • Any activity that could lead to the disruption of our service (DoS).

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

  • Self-XSS without a plausible attack vector.

Out of scope endpoints

The following endpoints are considered out of scope:

  • va-ddgc-staging-web1.duckduckgo.com

  • va-ddgc-staging-web2.duckduckgo.com

  • duck.co

Thank you for helping keep DuckDuckGo and our users safe!

In Scope

Scope Type Scope Name
android_application

com.duckduckgo.mobile.android
ios_application

com.duckduckgo.mobile.ios
web_application

*.duckduckgo.com
web_application

https://github.com/duckduckgo/duckduckgo-privacy-extension

This program leverage 4 scopes, in 3 scopes categories.

FireBounty © 2015-2024

Legal notices | Privacy policy