Program stats

62 vulnerabilities rewarded

Validation within 3 days
75% of submissions are accepted or rejected within 3 days

$106.67 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

For this program, we are inviting researchers to test our cloud platform interface. These applications are built on GoLang and rails and are used by our customers to launch and manage droplets. Our goal with this program is to ensure that our customers and employees are using a secure platform that's free of security vulnerabilities.

Responsible Disclosure Guidelines:
We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you providing you comply with the following

Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC)

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
  • Do not modify or access data that does not belong to you
  • Give DigitalOcean a reasonable time to correct the issue before making any information public

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.


The user portal provides an interface for creating and managing droplets. It is the primary interface for users, and their touch point with DigitalOcean.

Any domain/property of DigitalOcean not listed in the targets section is out of scope. While the cloud interface leverages components of the API (, direct calls to the API are out of scope for this program (that is to say, that no API documentation will be provided, as all testing should be performed within the context of the application).

Focus Areas

This program is currently focused on testing DigitalOcean's API & Cloud interfaces.

  • Information regarding the API can be found on:


  • Vulnerabilities in other discovered applications owned by DigitalOcean
  • Third party websites hosted by non-DigitalOcean entities are not included in this program, including
    • Customer Droplets
    • Third-party resources
    • Rate limiting, with the exception of a direct security impact
  • Ticket creation ( is excluded from this test due to the load on our support teams. Please DO NOT perform any testing on, or create any support tickets. Thanks!


This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd’s VRT.