Banner object (1)

Hack and Take the Cash !

684 bounties in database
14/08/2018

DuckDuckGo

DuckDuckGo is an Internet privacy company that empowers you to seamlessly take control of your personal information online, without any tradeoffs. With our roots as "the search engine that doesn’t track you", we’ve expanded what we do to protect you no matter where the Internet takes you.
We're committed to set the new standard of trust online, and we look forward to working with the security community to find security vulnerabilities in order to keep our users safe. Check out more about us on https://duckduckgo.com __.

SLA

DuckDuckGo will make a best effort to meet the following SLAs for hackers participating in our program:

  • Time to first response (from report submission) - 2 business days
  • Time to triage (from first response) - 2 business days
  • Time to resolution - depends on severity and complexity.

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

  • Follow HackerOne's disclosure guidelines __.
  • Please do not discuss vulnerabilities (even resolved ones) outside of the program without express consent from DuckDuckGo.

Program Rules

  • Please provide detailed reports with reproducible steps.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid destruction of data, and interruption or degradation of our service.
  • When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.

Rewards

We are not offering monetary bounties at this time, however, we would love to send you some swag for valid submissions.

Out of scope vulnerabilities

The following issues are considered out of scope:

  • Open redirect reports.
  • Open proxy reports.
  • SSRF on proxy reports.
  • Clickjacking on pages with no sensitive actions.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Self-XSS without a plausible attack vector.

Thank you for helping keep DuckDuckGo and our users safe!

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2018