For this program, we are inviting researchers to test our cloud platform interface. These applications are built on GoLang and rails and are used by our customers to launch and manage droplets. Our goal with this program is to ensure that our customers and employees are using a secure platform that's free of security vulnerabilities. For testing, please sign up with your @bugcrowdninja.com email address ('username'@bugcrowdninja.com).

Responsible Disclosure Guidelines:
We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you providing you comply with the following

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC)
    • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
    • Do not modify or access data that does not belong to you
    • Give DigitalOcean a reasonable time to correct the issue before making any information public

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

Targets

In scope

The user portal provides an interface for creating and managing droplets. It is the primary interface for users, and their touch point with DigitalOcean.

Any domain/property of DigitalOcean not listed in the targets section is out of scope. While the cloud interface leverages components of the API (api.digitalocean.com), direct calls to the API are out of scope for this program (that is to say, that no API documentation will be provided, as all testing should be performed within the context of the application).

Access and Credentials

  • Researchers will need to sign up for an account at https://cloud.digitalocean.com/registrations/new
  • There is a limit of 5 droplets per account (there should be no need for more than five); DO NOT launch any droplets > 1gb of RAM

Also Excluded:

Ticket creation (cloud.digitalocean.com/support/tickets/new) is excluded from this test due to the load on our support teams. Please DO NOT perform any testing on, or create any support tickets. Thanks!

Focus Areas

  • This program is currently focused on testing DigitalOcean's API & Cloud interfaces.
    • https://cloud.digitalocean.com
    • Information regarding the API can be found on: https://developers.digitalocean.com

Out-of-Scope

Vulnerabilities in other discovered applications owned by DigitalOcean
Third party websites hosted by non-DigitalOcean entities are not included in this program, including

  • Customer Droplets
  • Third-party resources

Rules

This bounty follows Bugcrowd’s standard disclosure terms.