• $100 – $2,500 per vulnerability
  • Managed by Bugcrowd

Program stats

82 vulnerabilities rewarded

Validation within 5 days
75% of submissions are accepted or rejected within 5 days

$300 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

For this program, we are inviting researchers to test our api, cloud, and spaces interfaces. These applications are built using Go and Rails, are used by our customers to launch and manage droplets, and to manage data in their own spaces. Our goal with this program is to ensure that our customers and employees are using a platform that's free of security vulnerabilities.

Responsible Disclosure Guidelines:

We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you providing you comply with the following:

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC)
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
  • Do not modify or access data that does not belong to you
  • Give DigitalOcean a reasonable time to correct the issue before making any information public

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.


In scope

Target name Type Website API


Focus Areas

This is the primary interface for users, and their touch point with DigitalOcean. While this portal makes use of a private API, no API documentation will be provided, as all testing should be performed within the context of the user portal.

This is a programmatic interface for the management of droplets, firewalls, load-balancers, etc. You can view the documentation for this here.


This is a S3-compatible interface for access to, and management of, assets on DigitalOcean Spaces. You can view the documentation for this here.


  • Vulnerabilities in other discovered applications owned by DigitalOcean, i.e. those not listed in the targets section of this program.
  • Third party websites hosted by non-DigitalOcean entities are not included in this program, including:
  • Customer droplets,
  • Third-party resources,
  • Content stored in customer-owned spaces,
  • Rate limiting, with the exception of a direct security impact.
  • Support ticket creation is excluded from this program due to the load on our support teams. Please DO NOT perform any testing on, or create any, support tickets. Thanks!
  • Publicly known processor sidechannel attacks.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.