• Points – $5,000 per vulnerability
  • Managed by Bugcrowd

Program stats

88 vulnerabilities rewarded

Validation within 4 days
75% of submissions are accepted or rejected within 4 days

$233.33 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

We care about creating a safe, resilient environment where our customers and community can innovate with confidence.


We use the Bugcrowd Vulnerability Rating Taxonomy for the initial prioritization of findings. However, we will modify a report's rating in some cases due it's potential likelihood or impact. If we downgrade a report we will provide a full, detailed explanation will be provided to the researcher (who has an opportunity to appeal.)

NOTE: Additional rewards may be awarded for particularly significant and/or complex issues.

Reward Range

Last updated
Technical severity Reward range
p1 Critical Up to: $5,000
p2 Severe Up to: $2,500
p3 Moderate Up to: $500
p4 Low Up to: $150
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Website API

Focus Areas

We are particularly interested in:

  • Issues that result in full compromise of a system (RCE, Sandbox escapes, etc.)
  • Business logic bypasses resulting in significant impact

Responsible Disclosure

DigitalOcean appreciates the contributions made by the security research community. We will not take legal action against nor ask law enforcement to investigate researchers who:

  • Share with us the full details of the issue, including any information needed to reproduce it.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
  • Do not attempt to modify, damage, or access data that does not belong to you.

Attributes of a Good Report

We expect that issue reports contain:

  • Detailed steps for reproducing the issue. We prefer detailed steps over videos, though you can include any information you think we will find valuable.
  • If you were logged into a DigitalOcean account while performing the attack, please include account information in the report; this information makes certain issues much easier to debug.






DigitalOcean products associated with an account you created (e.g. droplets, load balancers, etc.)


All other DigitalOcean domains or properties not listed are out of scope, including subdomains. All domains or properties hosted on DigitalOcean and controlled by third parties are out of scope (e.g. customer droplets, content stored in customer-owned spaces, etc.)

If you have discovered a significant out-of-scope issue, please contact


When registering an account, please use your email address. For more info regarding @bugcrowdninja email addresses, see here.

If you are testing with an account that does not use a @bugcrowdninja email address, we may take action against it for perceived malicious activity (account locks, bans, etc.).

Program Exclusions

  • Support tickets (due to the load on our support teams--please DO NOT perform any testing on, or create any, support tickets. Thanks!)
  • Rate limit bypasses, with the exception of those that have a direct security impact
  • Missing SPF/DMARC/DKIM settings on non-email DigitalOcean domains.
  • Publicly known processor sidechannel attacks
  • Any physical attempts against DigitalOcean property or data centers
  • Social engineering / phishing
  • DigitalOcean corporate infrastructure

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.