DigitalOcean does not leverage CVSS for its severity assessment. Instead, we take a contextual look at impact and likelihood of a vulnerability and determine the commensurate risk to our business or customers between Informational, Low, Medium, High, or Critical. This means that you can be sure real, experienced security professionals are looking at all the details of your report to determine the severity and resulting bounty payment; you're not limited by what an algorithm dictates. When we triage issues, we will provide justification as to our severity decision if it differs from yours. Please note that our severity table ends at Critical. We will only consider Exceptional tier for truly monumental impact to the organization.
When deciding what severity to set on your report, you may use CVSS, CWSS, SSVC, EPSS, or any other combination of tools to help you determine an accurate threshold. Please do not mark every issue a Critical/High severity unless you have reasonable justification for doing so.
DigitalOcean will only issue monetary rewards for reports demonstrating meaningful impact. If DigitalOcean decides to offer a reward for a vulnerability report, the value of the reward will be based on the impact and severity of the reported vulnerability, to be determined by DigitalOcean in its sole discretion. Awards are granted entirely at the discretion of DigitalOcean.
For this reason, we strongly encourage researchers to spend extra time to provide a realistic attack/threat scenario adapted to our business. This will increase the chance of receiving a higher bounty.
At DigitalOcean's discretion, providing more complete research, proof-of-concept code, and detailed writeups may increase the bounty awarded. Conversely, DigitalOcean may pay less for vulnerabilities that require complex or over-complicated interactions for which the impact or security risk is negligible.