Hi Researchers,
We are temporarily taking our Insights Uptime service out-of-scope for our bug bounty program while it's being reworked. A shiny new version of Uptime checks is planned for release this summer.
At its launch, we will move this back in-scope with a 1.2x bonus (20%) reward on bounties for any new valid vulnerabilities submitted within its first 2 weeks.
Stay tuned, and keep an eye out for this announcement! :)
Hey Researchers! We have lots of exciting new AI products!
As part of DigitalOcean’s Deploy conference yesterday, we released our new Inference Engine designed for production AI.
This is a unified control plane for AI inference that is built around four core capabilities:
- Inference Router
- Batch Inference
- Serverless Inference
- Dedicated Inference
Under our new Models Catalog, there’s also the ability to Bring Your Own Models (BYOM) and Evaluate Models. And definitely test out our new Model Access Keys.
For more info, see our blog and docs.
Check it out and let us know what you find :)
Happy Hacking!
Hi BBP Researchers! Available in the platform as of today, DO has a new CSPM tool that provides agentless, in-dashboard visibility into your infrastructure, helping you detect risks, and provides clear insight into potential security issues.
CSPM continuously evaluates DO resources including Droplets and Databases to identify misconfigurations and posture risks. Unlimited free scans are now available for every DigitalOcean customer!
Alongside these features, we’re introducing Security Advisor, a new AI capability under CSPM that brings an intelligence layer.
Please test out this new functionality and let us know what you find!
Access the new Security Console in your account dashboard: https://cloud.digitalocean.com/watchdeck?i=e0fda3
You can read more about this offering on our blog: https://www.digitalocean.com/blog/now-available-cloud-security-posture-management
Hi researchers!
Due to a significant increase in invalid, AI-generated report submissions distracting from valid, impactful reports, we are removing our open-source GitHub repos from our bug bounty program scope, effective now.
Please review our updated program scope details before submitting new reports. Happy hacking!
Hello hackers! Our bug bounty team is going to take a well-deserved break during the end of year holiday season, starting as of tomorrow for any new submissions. The program will remain open and Intigriti will validate issues, however the DigitalOcean team will be delaying review of reports until after the new year. Please take a look at our temporarily adjusted validation times below.
Between Dec 9, 2025 and Jan 2, 2025:
| Vulnerability Severity | Time to validate |
|---|---|
| Exceptional | 3 Working days |
| Critical | 3 Working days |
| High | 14 Working days |
| Medium | To be reviewed after Jan 2 |
| Low | To be reviewed after Jan 2 |
Note: marking all reports as critical or exceptional so that they are reviewed faster during this window will not result in a positive outcome.
Hello, researchers! We're excited to share that AMD recently launched the AMD Developer Cloud, powered by DigitalOcean, to provide developers and open-source contributors with a platform engineered to democratize access to AMD Instinct™ GPUs and empower developers and AI innovators worldwide.
These new AMD teams have slightly different access controls than regular DO Teams, so we encourage you to test permission boundaries and report any findings. If you find something that impacts security, we want to hear about it.
Get started at https://amd.digitalocean.com/login !
Note that new team billing credits don't apply to these teams, but for the next 30 days (ending July 25, 2025, inclusive) we will award 1.5x bounty rewards for any permissions/RBAC issues related to Teams and user roles inside Teams. This applies to regular DO teams and AMD teams. Recently, we have received several reports of RBAC issues which amounted to documentation clarification, not actual misconfigurations in the platform. Issues which are solely due to unclear documentation are not eligible for bounty rewards. Happy hacking!
Hello hackers! Our bug bounty team is going to take a well-deserved break during the end of year holiday season. The program will remain open and Intigriti will validate issues, however the DigitalOcean team will be delaying review of reports until after the new year. Please take a look at our temporarily adjusted validation times below.
Between Dec 9, 2024 and Jan 2, 2024:
| Vulnerability Severity | Time to validate |
|---|---|
| Exceptional | 3 Working days |
| Critical | 3 Working days |
| High | 14 Working days |
| Medium | To be reviewed after Jan 2 |
| Low | To be reviewed after Jan 2 |
Note: marking all reports as critical or exceptional so that they are reviewed faster during this window will not result in a positive outcome.
Hello researchers! We completed some fall cleaning and updated our assets. We've created a Tier 3 to better represent the impact and risk of certain assets and moved several domains from Tier 2 to Tier 3. We also added a new Tier 2 asset, snapshooter.com.
Give the updated assets list a look, and happy hacking!
If you are looking for our CSS-Tricks asset, we have moved it to our other program, you can find it at https://app.intigriti.com/company/programs/digitalocean/cloudways!
Hello researchers! We're excited to announce a slew of new products and features coming to DigitalOcean over the next several months at our Deploy conference, happening now. One of those features is upcoming RBAC for user roles on DigitalOcean. Those new roles are coming soon, but today the internal authorization system has been entirely overhauled in preparation for those features. As a result, we have removed our note that authZ issues with the Biller role are out of scope. They are back in-scope, along with any other authorization issues you can discover. Since the internal authZ system is new, there may be authZ problems we have missed, so it is worth reviewing the entire platform again! Good hunting!