Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
DuckDuckGo logo
Hall of Fame


DuckDuckGo is an Internet privacy company that empowers you to seamlessly take control of your personal information online, without any tradeoffs. With our roots as "the search engine that doesn’t track you", we’ve expanded what we do to protect you no matter where the Internet takes you.
We're committed to set the new standard of trust online, and we look forward to working with the security community to find security vulnerabilities in order to keep our users safe. Check out more about us on __.


DuckDuckGo will make a best effort to meet the following SLAs for hackers participating in our program:

  • Time to first response (from report submission) - 2 business days
  • Time to triage (from first response) - 2 business days
  • Time to resolution - depends on severity and complexity.

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

  • Follow HackerOne's disclosure guidelines __.
  • Please do not discuss vulnerabilities (even resolved ones) outside of the program without express consent from DuckDuckGo.

Program Rules

  • Please provide detailed reports with reproducible steps.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid destruction of data, and interruption or degradation of our service.
  • When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.


We are not offering monetary bounties at this time, however, we would love to send you some swag for valid submissions.

Out of scope vulnerabilities

The following issues are considered out of scope:

  • Open redirect reports.
  • Open proxy reports.
  • SSRF on proxy reports.
  • Clickjacking on pages with no sensitive actions.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Self-XSS without a plausible attack vector.

Thank you for helping keep DuckDuckGo and our users safe!

In Scope

Scope Type Scope Name





This program leverage 4 scopes, in 3 scopes categories.

FireBounty © 2015-2019

Legal notices