We care about creating a safe, resilient environment where our customers and community can innovate with confidence.
We use the Bugcrowd Vulnerability Rating Taxonomy for the initial prioritization of findings. However, we will modify a report's rating in some cases due it's potential likelihood or impact. If we downgrade a report we will provide a full, detailed explanation will be provided to the researcher (who has an opportunity to appeal.)
NOTE: Additional rewards may be awarded for particularly significant and/or complex issues.
Reward RangeLast updated
|Technical severity||Reward range|
|p1 Critical||Up to: $5,000|
|p2 Severe||Up to: $2,500|
|p3 Moderate||Up to: $500|
|p4 Low||Up to: $150|
We are particularly interested in:
- Issues that result in full compromise of a system (RCE, Sandbox escapes, etc.)
- Business logic bypasses resulting in significant impact
All other DigitalOcean domains or properties not listed are out of scope, including subdomains. All domains or properties hosted on DigitalOcean and controlled by third parties are out of scope (e.g. customer droplets, content stored in customer-owned spaces, etc.).
Additionally, we're not interested in the following types of results:
- Support tickets (due to the load on our support teams--please DO NOT perform any testing on, or create any, support tickets. Thanks!)
- Rate limit bypasses, with the exception of those that have a direct security impact
- Missing SPF/DMARC/DKIM settings on non-email DigitalOcean domains.
- Publicly known processor sidechannel attacks
- Any physical attempts against DigitalOcean property or data centers
- Social engineering / phishing
- DigitalOcean corporate infrastructure
If you have discovered a significant out-of-scope issue, please contact us directly at firstname.lastname@example.org.
Attributes of a Good Report
We expect that issue reports contain:
- Detailed steps for reproducing the issue. We prefer detailed steps over videos, though you can include any information you think we will find valuable.
- If you were logged into a DigitalOcean account while performing the attack, please include account information in the report; this information makes certain issues much easier to debug.
When registering an account, please use your email@example.com email address. For more info regarding @bugcrowdninja email addresses, see here.
If you are testing with an account that does not use a @bugcrowdninja email address, we may take action against it for perceived malicious activity (account locks, bans, etc.).
DigitalOcean appreciates the contributions made by the security research community. We will not take legal action against nor ask law enforcement to investigate researchers who:
- Share with us the full details of the issue, including any information needed to reproduce it.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
- Do not attempt to modify, damage, or access data that does not belong to you.