Intigriti
Description

DigitalOcean, LLC. is an American multinational technology company and cloud service provider. DigitalOcean simplifies cloud computing so developers and businesses can spend more time building software that changes the world.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 2
min. $
max. $
100
450
700
1,500
2,000
4,000
5,000
8,000
8,000
10,000
Tier 2
$100 - $10,000
Rules of engagement
Required
Not applicable
max. 10 requests/sec
X-BBP-Researcher: {Username}

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Program Rules

  • While testing, please only test against your own accounts and resources. Targeting DigitalOcean users or their resources (e.g. Droplets, Spaces, Databases, etc.) is NOT allowed.
  • Do not host personal or commercial applications on servers underneath your [@]intigriti.me DigitalOcean account.
  • While testing, we encourage (but do not require) you to include a custom HTTP header in all your requests.
    • Providing such information will assist us with correlating your traffic to your research and expedite our ability to validate your report.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a bounty.
  • Multiple vulnerabilities caused by one underlying issue will be considered one issue.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Please help make a good faith effort to avoid privacy violations, destruction of data, or service degradation.

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.

DigitalOcean will make a best effort to meet the following SLAs for hackers participating in our program.
The following SLAs are in business days (Mon-Fri) and may exclude days where there are regional holidays in the countries where our DigitalOcean staff are located.

Vulnerability Severity Time to validate
Exceptional 2 Working days
Critical 2 Working days
High 5 Working days
Medium 15 Working days
Low 15 Working days

We'll try to keep you informed about our progress throughout the process.

Check our fix
We offer up to $50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of DigitalOcean to award.

Domains

*.digitalocean.com

Tier 2
Wildcard

Public IPs belonging to AS14061(DigitalOcean, LLC) are assigned to DigitalOcean customers and should be considered out of scope.

The following subdomains are out of scope:

  • cloudsupport.digitalocean.com
  • ideas.digitalocean.com
  • investor.digitalocean.com
  • investors.digitalocean.com
  • ir.digitalocean.com
  • deploy.digitalocean.com
  • pilot.digitalocean.com
  • rewards.digitalocean.com
  • anchor.digitalocean.com
  • waves.digitalocean.com
  • brand.digitalocean.com
  • go.digitalocean.com
  • groove.digitalocean.com
  • email.digitalocean.com
  • status.digitalocean.com
  • events.digitalocean.com
  • helpdesk.digitalocean.com
  • mirrors.digitalocean.com
  • segment.digitalocean.com
  • tracking.digitalocean.com

169.254.169.254

Tier 2
IP Range

Metadata service available at http://169.254.169.254/ from Droplets

Tier 2
URL
Tier 2
URL

Findings against resources owned by your account should be filed underneath this asset.

  • While performing your research, please limit the scope of testing to only the accounts or resources that are owned by you.
  • If you discover a vulnerability that could allow you to bypass existing controls and gain access to other accounts, please do not take any further action against those accounts or data that are not owned by you.
Tier 2
URL
Tier 2
URL
Tier 2
URL
Tier 2
URL
Tier 2
URL
Tier 2
URL

Company shortlink service

Tier 2
URL
Tier 2
URL

API for hacktoberfest.com

Tier 2
URL

https://github.com/digitalocean/do-agent

Tier 2
Other

A daemon that helps collect system metrics from droplets.

https://github.com/digitalocean/do-markdownit

Tier 2
Other

Markdown plugin run against all user-submitted content on https://digitalocean.com/community.

https://github.com/digitalocean/doctl

Tier 2
Other

The official command line interface for the DigitalOcean API.

https://github.com/digitalocean/droplet-agent

Tier 2
Other

A daemon that enables web console access on droplets

https://github.com/digitalocean/terraform-provider-digitalocean

Tier 2
Other

DigitalOcean's official Terraform provider.

Tier 2
URL

Note that marketplace 1-click apps and add-ons are maintained by our partnered vendors and are out of scope. Security issues against these components of the marketplace are not in the scope of this program and ineligible for bounty rewards, but we are happy to help facilitate communications to the application owners.

Please reach out to us at security@digitalocean.com for facilitation.

Tier 2
URL
Tier 2
URL

*.db.ondigitalocean.com

Out of scope
Wildcard

Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.

Any database created inside your own account on this domain are considered in-scope. Use the cloud.digitalocean.com asset in that case.

*.digitaloceanspaces.com

Out of scope
Wildcard

Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.

Any Spaces buckets created inside your own account on this domain are considered in-scope. Use the cloud.digitalocean.com asset in that case.

*.doserverless.co

Out of scope
Wildcard

Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.

Any Functions created inside your own account on this domain are considered in-scope. Use the cloud.digitalocean.com asset in that case.

*.k8s.ondigitalocean.com

Out of scope
Wildcard

Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.

Any Kubernetes clusters created inside your own account on this domain are considered in-scope. Use the cloud.digitalocean.com asset in that case.

*.ondigitalocean.app

Out of scope
Wildcard

Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.

Any Apps created inside your own account on this domain are considered in-scope. Use the cloud.digitalocean.com asset in that case.

Assets created by other DigitalOcean customers

Out of scope
Other

Any asset (Droplet, Space, or otherwise) created by other DigitalOcean customers are not to be tested under any circumstances.

Marketplace Apps and Add-Ons

Out of scope
Other

The marketplace applications and add-ons are maintained by our partnered vendors. Security issues are not in the scope of this program and ineligible for bounty rewards, but we are happy to help facilitate communications to the application owners.
Please reach out to us at security@digitalocean.com for facilitation.

Other DigitalOcean open source projects not listed

Out of scope
Other

All open source projects hosted by DigitalOcean not otherwise listed as in-scope are out-of-scope.

registry.digitalocean.com/*

Out of scope
Wildcard

Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.

Any container registries created inside your own account on this domain are considered in-scope. Use the cloud.digitalocean.com asset in that case.

In scope

Introduction
DigitalOcean is a cloud service provider offering infrastructure-as-a-service and platform-as-a-service solutions. DigitalOcean simplifies cloud computing so developers and businesses can spend more time building software that changes the world. At DigitalOcean, our customers’ trust is critical to us. We know that our customers need a secure foundation to build on, which is why we take security seriously. We look forward to working with the security community across the globe to find vulnerabilities in order to keep our customers and businesses safe. Please read the following content on how to best engage this program, stay within scope boundaries, and more.

Looking for other DigitalOcean assets? Take a look at our other bug bounty programs:

High Impact Findings
We are particularly interested in findings that enable widespread compromise of other customers or penetrate DigitalOcean’s core backend systems. These behaviors are not limited to specific vulnerability categories, but some examples include:

  • Broken authorization leading to access of other DigitalOcean customer records
  • Breaking out of process controls (e.g. access the hypervisor from your guest)
  • Remote code execution on core DigitalOcean infrastructure
  • Cross-VM attacks to break the multi-tenancy architecture

Acceptable PoCs

  • Command execution: whoami, hostname, uname
  • File reads: /etc/hostname
  • File writes: /tmp/bbp_<intigriti username>
  • SQL injection: basic evidence (' OR 1='1 causes all rows to return and ' AND 0='1 causes zero rows to return) is fine, but feel free to extract the username of the database user as well

DigitalOcean Products

Compute

  • Droplets - On-demand Linux virtual machines
  • Kubernetes - Managed Kubernetes service
  • App Platform - Platform-as-a-Service (PaaS) offering allowing users to build, deploy, and scale apps quickly while DigitalOcean manages the infrastructure, app runtime, and dependencies
  • Functions - Serverless computing solution to run on-demand code

Storage

Networking

  • Load Balancers - Fully-managed, highly available network load balancing service
  • Cloud Firewalls - Network-based, stateful firewall service for Droplets
  • Virtual Private Cloud (VPC) - Logically isolated private network interface for cloud resources in the same account
  • Reserved IPs - Publicly-accessible static IP addresses that can be assigned to a Droplet
  • Domains and DNS - DNS records managed from the DigitalOcean control panel, and can be integrated with Load Balancers and Spaces to streamline TLS certificate management
    • NOTE: DigitalOcean is not a domain name registrar
  • IPv6 - You can enable IPv6 on Droplets

Management Tools

  • Monitoring - Free, opt-in service that gathers metrics about Droplet-level resource utilization
  • Uptime - Monitoring service that checks the health of any URL or IP address

Accounts

  • Teams - Teams are our account boundary. Someone in one team cannot manage resources in another team they are not a member of.
  • SSH Keys - Manage SSH keys available to be provisioned onto Droplets
  • 2FA - Using two-factor authentication (2FA) on DigitalOcean adds an additional layer of security against unauthorized access to your account

Tools and Services

  • API - DigitalOcean's public REST API
  • Images
    • Backups - Automatically-created disk images for Droplets
    • Snapshots - On-demand disk images of Droplets and volumes saved to your account
    • Custom Images - Custom Linux or Unix-like images that you can import to DigitalOcean
  • doctl - The official command line interface for the DigitalOcean API
  • do-agent - A daemon that collects system metrics from Droplets
  • droplet-agent - A daemon that enables web console access on Droplets

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here: Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

Out of scope

Submissions targeting resources or accounts owned by other DigitalOcean customers are out of scope.

As a cloud provider, DigitalOcean owns a large IP space and nearly every report we receive in which attribution is solely based on IP address are out of scope reports on customers. For example, assets (e.g. random public DigitalOcean IPs or Spaces buckets with *.digitaloceanspaces.com domain) that Shodan or similar vulnerability scanners scan against are usually customers’ assets and thus are out of the scope of this program and should never be tested against. Public IPs belonging to AS14061(DigitalOcean, LLC) are usually assigned to DigitalOcean customers.

Please do not submit findings from automated scans unless you have verified and have high confidence that the vulnerable targets are part of DigitalOcean’s public infrastructure and have a demonstrated security impact. Repetitive submissions against DigitalOcean customers may result in expulsion from our program.

Application

  • Use of known vulnerable 3rd party library or software without a working proof of concept to prove the exploitability and impact
  • Wordpress usernames disclosure
  • Pre-Auth Account takeover/OAuth squatting
  • Self-XSS that can't be used to exploit other users
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking without proven impact/unrealistic user interaction
  • CSV Injection
  • Sessions not being invalidated (logout, enabling 2FA, etc.)
  • Tokens leaked to third parties
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection without being able to modify the HTML
  • Email bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing/Version disclosure
  • Not stripping metadata of files
  • Same-site scripting
  • Subdomain takeover without taking over the subdomain
  • Arbitrary file upload without proof of the existence of the uploaded file
  • Blind SSRF without proven business impact (pingbacks aren't sufficient)
  • Host header injection without proven business impact
  • Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version)
  • Links on static content referencing 3rd party domains that no longer exist

General

  • Publicly known processor side-channel attacks
    • The reason for this rule is that there is no safe way to test this without special setup. If you have strong reason to believe that an issue may impact our environment, please contact us at security@digitalocean.com and we'll work with you to set up an environment for safe testing.
  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks
  • Vulnerabilities that only work on software that no longer receive security updates
  • Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
  • Recently discovered zero-day vulnerabilities found in in-scope assets within 30 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
  • Reports that state that software is out of date/vulnerable without a proof-of-concept
Severity assessment

DigitalOcean does not leverage CVSS for its severity assessment. Instead, we take a contextual look at impact and likelihood of a vulnerability and determine the commensurate risk to our business or customers between Informational, Low, Medium, High, or Critical. This means that you can be sure real, experienced security professionals are looking at all the details of your report to determine the severity and resulting bounty payment; you're not limited by what an algorithm dictates. When we triage issues, we will provide justification as to our severity decision if it differs from yours. Please note that our severity table ends at Critical. We will only consider Exceptional tier for truly monumental impact to the organization.

When deciding what severity to set on your report, you may use CVSS, CWSS, SSVC, EPSS, or any other combination of tools to help you determine an accurate threshold. Please do not mark every issue a Critical/High severity unless you have reasonable justification for doing so.

DigitalOcean will only issue monetary rewards for reports demonstrating meaningful impact. If DigitalOcean decides to offer a reward for a vulnerability report, the value of the reward will be based on the impact and severity of the reported vulnerability, to be determined by DigitalOcean in its sole discretion. Awards are granted entirely at the discretion of DigitalOcean.

For this reason, we strongly encourage researchers to spend extra time to provide a realistic attack/threat scenario adapted to our business. This will increase the chance of receiving a higher bounty.

At DigitalOcean's discretion, providing more complete research, proof-of-concept code, and detailed writeups may increase the bounty awarded. Conversely, DigitalOcean may pay less for vulnerabilities that require complex or over-complicated interactions for which the impact or security risk is negligible.

FAQ

How can I create an account?

You can self-register on the application, but please don’t forget to use your @intigriti.me email address.

  • Please create dedicated testing accounts for any DO security research engagement. This allows our teams to know if any anomalous activity is associated with Intigriti or potential bad actors.
  • Please register a DigitalOcean account using your Intigriti @intigriti.me email.
  • Feel free to sign up for new accounts on https://try.digitalocean.com/freetrialoffer/ to receive $200 in credits valid for 60 days (a valid credit card is still required to be linked to the account).
  • If you are testing with an account that does not use your Intigriti email address, we may take action against it for perceived malicious activity (account locks, bans, etc.)
  • Once you have finished testing, don’t forget to spin down resources to avoid any undue consumption.
  • Beyond the free trial offer, we will not provide credits or reimburse charges to researchers.

I think I found SSRF. How can I prove it?

We have set up an internal service you can try to hit to prove SSRF in our environment.
There are two endpoints you can try:

  • https://ssrf-sheriff.internal.digitalocean.com/
  • https://ssrf-sheriff.s2r1.internal.digitalocean.com/

Please include your Intigriti username in an X-BBP-Researcher header if you are able to control headers in your SSRF attempt.

If your SSRF request is successful, you will receive a unique code to include in your report as proof of your success.
If you discover blind SSRF, the endpoint will trigger an alert for our Security team to validate against. Please include timestamp and IP information when you write up your report.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Researchers
last contributors
logo
logo
logo
logo
logo
logo
leaderboard
logo
logo
logo
logo
logo
logo
Overall stats
submissions received
141
average payout
$1,259
accepted submissions
16
total payouts
$18,876
Last 90 day response times
avg. time first response
< 3 days
avg. time to decide
< 3 weeks
avg. time to triage
< 4 days
Activity
7/22
DigitalOcean
closed a submission
7/22
logo
created a submission
7/20
logo
created a submission
7/19
logo
created a submission
7/19
DigitalOcean
closed a submission
7/18
logo
created a submission
7/18
DigitalOcean
closed a submission
7/18
DigitalOcean
closed a submission
7/18
DigitalOcean
closed a submission
7/17
logo
created a submission