• Points – $5,000 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

102 vulnerabilities rewarded

Validation within 5 days
75% of submissions are accepted or rejected within 5 days

$383.33 average payout (last 3 months)

Latest hall of famers

Recently joined this program

826 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

We care about creating a safe, resilient environment where our customers and community can innovate with confidence.


We use the Bugcrowd Vulnerability Rating Taxonomy for the initial prioritization of findings. However, we will modify a report's rating in some cases due it's potential likelihood or impact. If we downgrade a report we will provide a full, detailed explanation will be provided to the researcher (who has an opportunity to appeal.)

NOTE: Additional rewards may be awarded for particularly significant and/or complex issues.

Reward Range

Last updated
Technical severity Reward range
p1 Critical Up to: $5,000
p2 Severe Up to: $2,500
p3 Moderate Up to: $500
p4 Low Up to: $150
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Website API
DigitalOcean products associated with an account you created (e.g. droplets, load balancers, etc.) Website

Focus Areas

We are particularly interested in:

  • Issues that result in full compromise of a system (RCE, Sandbox escapes, etc.)
  • Business logic bypasses resulting in significant impact

Scope Exclusions

All other DigitalOcean domains or properties not listed are out of scope, including subdomains. All domains or properties hosted on DigitalOcean and controlled by third parties are out of scope (e.g. customer droplets, content stored in customer-owned spaces, etc.).

Additionally, we're not interested in the following types of results:

  • Support tickets (due to the load on our support teams--please DO NOT perform any testing on, or create any, support tickets. Thanks!)
  • Rate limit bypasses, with the exception of those that have a direct security impact
  • Missing SPF/DMARC/DKIM settings on non-email DigitalOcean domains.
  • Publicly known processor sidechannel attacks
  • Any physical attempts against DigitalOcean property or data centers
  • Social engineering / phishing
  • DigitalOcean corporate infrastructure

If you have discovered a significant out-of-scope issue, please contact us directly at


Attributes of a Good Report

We expect that issue reports contain:

  • Detailed steps for reproducing the issue. We prefer detailed steps over videos, though you can include any information you think we will find valuable.
  • If you were logged into a DigitalOcean account while performing the attack, please include account information in the report; this information makes certain issues much easier to debug.


When registering an account, please use your email address. For more info regarding @bugcrowdninja email addresses, see here.

If you are testing with an account that does not use a @bugcrowdninja email address, we may take action against it for perceived malicious activity (account locks, bans, etc.).

Responsible Disclosure

DigitalOcean appreciates the contributions made by the security research community. We will not take legal action against nor ask law enforcement to investigate researchers who:

  • Share with us the full details of the issue, including any information needed to reproduce it.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
  • Do not attempt to modify, damage, or access data that does not belong to you.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.