For this program, we are inviting researchers to test our cloud platform interface. These applications are built on GoLang and rails and are used by our customers to launch and manage droplets. Our goal with this program is to ensure that our customers and employees are using a secure platform that's free of security vulnerabilities. For testing, please sign up with your @bugcrowdninja.com email address ('email@example.com).
We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at DigitalOcean. Every day new security issues and attack vectors are created. DigitalOcean strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.
Responsible Disclosure Guidelines:
We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you providing you comply with the following
- Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC)
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
- Do not modify or access data that does not belong to you
- Give DigitalOcean a reasonable time to correct the issue before making any information public
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.
The user portal provides an interface for creating and managing droplets. It is the primary interface for users, and their touch point with DigitalOcean.
Any domain/property of DigitalOcean not listed in the targets section is out of scope. While the cloud interface leverages components of the API (api.digitalocean.com), direct calls to the API are out of scope for this program (that is to say, that no API documentation will be provided, as all testing should be performed within the context of the application).
Access and Credentials
- Researchers will need to sign up for an account at https://cloud.digitalocean.com/registrations/new
- There is a limit of 5 droplets per account (there should be no need for more than five);
DO NOTlaunch any droplets > 1gb of RAM
Ticket creation (cloud.digitalocean.com/support/tickets/new) is excluded from this test due to the load on our support teams. Please
DO NOT perform any testing on, or create any support tickets. Thanks!
- This program is currently focused on testing DigitalOcean's API & Cloud interfaces.
- Information regarding the API can be found on: https://developers.digitalocean.com
Vulnerabilities in other discovered applications owned by DigitalOcean
Third party websites hosted by non-DigitalOcean entities are not included in this program, including
- Customer Droplets
- Third-party resources
This bounty follows Bugcrowd’s standard disclosure terms.