By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Program Rules

• While testing, please only test against your own accounts and resources. Targeting DigitalOcean users or their resources (e.g. Droplets, Spaces, Databases, etc.) is NOT allowed.
• Do not host personal or commercial applications on servers underneath your [@]intigriti.me DigitalOcean account.
• While testing, we encourage (but do not require) you to include a custom HTTP header in all your requests.
  • Providing such information will assist us with correlating your traffic to your research and expedite our ability to validate your report.
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a bounty.
• Multiple vulnerabilities caused by one underlying issue will be considered one issue.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Please help make a good faith effort to avoid privacy violations, destruction of data, or service degradation.

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.

DigitalOcean will make a best effort to meet the following SLAs for hackers participating in our program.
The following SLAs are in business days (Mon-Fri) and may exclude days where there are regional holidays in the countries where our DigitalOcean staff are located.

We'll try to keep you informed about our progress throughout the process.

Check our fix
We offer up to $50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of DigitalOcean to award.

Introduction
DigitalOcean is a cloud service provider offering infrastructure-as-a-service and platform-as-a-service solutions. DigitalOcean simplifies cloud computing so developers and businesses can spend more time building software that changes the world. At DigitalOcean, our customers’ trust is critical to us. We know that our customers need a secure foundation to build on, which is why we take security seriously. We look forward to working with the security community across the globe to find vulnerabilities in order to keep our customers and businesses safe. Please read the following content on how to best engage this program, stay within scope boundaries, and more.

High Impact Findings
We are particularly interested in findings that enable widespread compromise of other customers or penetrate DigitalOcean’s core backend systems. These behaviors are not limited to specific vulnerability categories, but some examples include:

• Broken authorization leading to access of other DigitalOcean customer records
• Breaking out of process controls (e.g. access the hypervisor from your guest)
• Remote code execution on core DigitalOcean infrastructure
• Cross-VM attacks to break the multi-tenancy architecture

Acceptable PoCs

• Command execution: whoami, hostname, uname
• File reads: /etc/hostname
• File writes: /tmp/bbp_<intigriti username>
• SQL injection: basic evidence (' OR 1='1 causes all rows to return and ' AND 0='1 causes zero rows to return) is fine, but feel free to extract the username of the database user as well

DigitalOcean Products

Compute

• Droplets - On-demand Linux virtual machines
• Kubernetes - Managed Kubernetes service
• App Platform - Platform-as-a-Service (PaaS) offering allowing users to build, deploy, and scale apps quickly while DigitalOcean manages the infrastructure, app runtime, and dependencies
• Functions - Serverless computing solution to run on-demand code

Storage

• Spaces object storage - S3-compatible object storage including a built-in CDN
• Volumes block storage - Network-based block device that provides additional storage for Droplets
• Managed Databases - Fully-managed database cluster service
  • MongoDB
  • MySQL
  • PostgreSQL
  • Redis
• Container Registry - Private Docker image registry with additional tooling support

Networking

• Load Balancers - Fully-managed, highly available network load balancing service
• Cloud Firewalls - Network-based, stateful firewall service for Droplets
• Virtual Private Cloud (VPC) - Logically isolated private network interface for cloud resources in the same account
• Reserved IPs - Publicly-accessible static IP addresses that can be assigned to a Droplet
• Domains and DNS - DNS records managed from the DigitalOcean control panel, and can be integrated with Load Balancers and Spaces to streamline TLS certificate management
  • NOTE: DigitalOcean is not a domain name registrar
• IPv6 - You can enable IPv6 on Droplets

Management Tools

• Monitoring - Free, opt-in service that gathers metrics about Droplet-level resource utilization
• Uptime - Monitoring service that checks the health of any URL or IP address

Accounts

• Teams - Teams are our account boundary. Someone in one team cannot manage resources in another team they are not a member of.
  • Teams are comprised of owner, biller, and member roles with different sets of permissions.
• SSH Keys - Manage SSH keys available to be provisioned onto Droplets
• 2FA - Using two-factor authentication (2FA) on DigitalOcean adds an additional layer of security against unauthorized access to your account

Tools and Services

• API - DigitalOcean's public REST API
  • Granularly scope your API tokens and check access control
• Images
  • Backups - Automatically-created disk images for Droplets
  • Snapshots - On-demand disk images of Droplets and volumes saved to your account
  • Custom Images - Custom Linux or Unix-like images that you can import to DigitalOcean
• doctl - The official command line interface for the DigitalOcean API
• do-agent - A daemon that collects system metrics from Droplets
• droplet-agent - A daemon that enables web console access on Droplets

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here: Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

Submissions targeting resources or accounts owned by other DigitalOcean customers are out of scope.

As a cloud provider, DigitalOcean owns a large IP space and nearly every report we receive in which attribution is solely based on IP address are out of scope reports on customers. For example, assets (e.g. random public DigitalOcean IPs or Spaces buckets with *.digitaloceanspaces.com domain) that Shodan or similar vulnerability scanners scan against are usually customers’ assets and thus are out of the scope of this program and should never be tested against. Public IPs belonging to AS14061(DigitalOcean, LLC) are usually assigned to DigitalOcean customers.

Please do not submit findings from automated scans unless you have verified and have high confidence that the vulnerable targets are part of DigitalOcean’s public infrastructure and have a demonstrated security impact. Repetitive submissions against DigitalOcean customers may result in expulsion from our program.

Access control issues with the Biller role

• We have received several reports around access control with the Biller team role. We thank all researchers for their disclosure and collaboration on those reports. We are temporarily setting any further access control reports about the Biller role as out-of-scope while we resolve these reports through a holistic remediation.

Application

• Use of known vulnerable 3rd party library or software without a working proof of concept to prove the exploitability and impact
• Wordpress usernames disclosure
• Pre-Auth Account takeover/OAuth squatting
• Self-XSS that can't be used to exploit other users
• Verbose messages/files/directory listings without disclosing any sensitive information
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags
• Missing security headers
• Cross-site Request Forgery with no or low impact
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• Bypassing rate-limits or the non-existence of rate-limits.
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• Tokens leaked to third parties
• Anything related to email spoofing, SPF, DMARC or DKIM
• Content injection without being able to modify the HTML
• Email bombing
• HTTP Request smuggling without any proven impact
• Homograph attacks
• XMLRPC enabled
• Banner grabbing/Version disclosure
• Not stripping metadata of files
• Same-site scripting
• Subdomain takeover without taking over the subdomain
• Arbitrary file upload without proof of the existence of the uploaded file
• Blind SSRF without proven business impact (pingbacks aren't sufficient)
• Host header injection without proven business impact
• Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version)
• 3rd party links on static content referencing 3rd party domains that no longer exist

General

• Publicly known processor side-channel attacks
  • The reason for this rule is that there is no safe way to test this without special setup. If you have strong reason to believe that an issue may impact our environment, please contact us at security@digitalocean.com and we'll work with you to set up an environment for safe testing.
• In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
• Spam, social engineering and physical intrusion
• DoS/DDoS attacks or brute force attacks
• Vulnerabilities that only work on software that no longer receive security updates
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Recently discovered zero-day vulnerabilities found in in-scope assets within 30 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
• Reports that state that software is out of date/vulnerable without a proof-of-concept

DigitalOcean does not leverage CVSS for its severity assessment. Instead, we take a contextual look at impact and likelihood of a vulnerability and determine the commensurate risk to our business or customers between Informational, Low, Medium, High, or Critical. This means that you can be sure real, experienced security professionals are looking at all the details of your report to determine the severity and resulting bounty payment; you're not limited by what an algorithm dictates. When we triage issues, we will provide justification as to our severity decision if it differs from yours. Please note that our severity table ends at Critical. We will only consider Exceptional tier for truly monumental impact to the organization.

When deciding what severity to set on your report, you may use CVSS, CWSS, SSVC, EPSS, or any other combination of tools to help you determine an accurate threshold. Please do not mark every issue a Critical/High severity unless you have reasonable justification for doing so.

DigitalOcean will only issue monetary rewards for reports demonstrating meaningful impact. If DigitalOcean decides to offer a reward for a vulnerability report, the value of the reward will be based on the impact and severity of the reported vulnerability, to be determined by DigitalOcean in its sole discretion. Awards are granted entirely at the discretion of DigitalOcean.

For this reason, we strongly encourage researchers to spend extra time to provide a realistic attack/threat scenario adapted to our business. This will increase the chance of receiving a higher bounty.

At DigitalOcean's discretion, providing more complete research, proof-of-concept code, and detailed writeups may increase the bounty awarded. Conversely, DigitalOcean may pay less for vulnerabilities that require complex or over-complicated interactions for which the impact or security risk is negligible.

How can I create an account?

You can self-register on the application, but please don’t forget to use your @intigriti.me email address.

• Please create dedicated testing accounts for any DO security research engagement. This allows our teams to know if any anomalous activity is associated with Intigriti or potential bad actors.
• Please register a DigitalOcean account using your Intigriti @intigriti.me email.
• Feel free to sign up for new accounts on https://try.digitalocean.com/freetrialoffer/ to receive $200 in credits valid for 60 days (a valid credit card is still required to be linked to the account).
• If you are testing with an account that does not use your Intigriti email address, we may take action against it for perceived malicious activity (account locks, bans, etc.)
• Once you have finished testing, don’t forget to spin down resources to avoid any undue consumption.
• Beyond the free trial offer, we will not provide credits or reimburse charges to researchers.

I think I found SSRF. How can I prove it?

We have set up an internal service you can try to hit to prove SSRF in our environment.
There are two endpoints you can try:

• https://ssrf-sheriff.internal.digitalocean.com/
• https://ssrf-sheriff.s2r1.internal.digitalocean.com/

Please include your Intigriti username in an X-BBP-Researcher header if you are able to control headers in your SSRF attempt.

If your SSRF request is successful, you will receive a unique code to include in your report as proof of your success.
If you discover blind SSRF, the endpoint will trigger an alert for our Security team to validate against. Please include timestamp and IP information when you write up your report.