Hello hackers! Our bug bounty team is going to take a well-deserved break during the end of year holiday season. The program will remain open and Intigriti will validate issues, however the DigitalOcean team will be delaying review of reports until after the new year. Please take a look at our temporarily adjusted validation times below.
Between Dec 9, 2024 and Jan 2, 2024:
| Vulnerability Severity | Time to validate |
|---|---|
| Exceptional | 3 Working days |
| Critical | 3 Working days |
| High | 14 Working days |
| Medium | To be reviewed after Jan 2 |
| Low | To be reviewed after Jan 2 |
Note: marking all reports as critical or exceptional so that they are reviewed faster during this window will not result in a positive outcome.
Hello researchers! We completed some fall cleaning and updated our assets. We've created a Tier 3 to better represent the impact and risk of certain assets and moved several domains from Tier 2 to Tier 3. We also added a new Tier 2 asset, snapshooter.com.
Give the updated assets list a look, and happy hacking!
If you are looking for our CSS-Tricks asset, we have moved it to our other program, you can find it at https://app.intigriti.com/company/programs/digitalocean/cloudways!
Hello researchers! We're excited to announce a slew of new products and features coming to DigitalOcean over the next several months at our Deploy conference, happening now. One of those features is upcoming RBAC for user roles on DigitalOcean. Those new roles are coming soon, but today the internal authorization system has been entirely overhauled in preparation for those features. As a result, we have removed our note that authZ issues with the Biller role are out of scope. They are back in-scope, along with any other authorization issues you can discover. Since the internal authZ system is new, there may be authZ problems we have missed, so it is worth reviewing the entire platform again! Good hunting!