Senior Manager, Product Security
Share
Today we are excited to launch DigitalOcean’s paid public bug bounty program, the next step in DigitalOcean’s long history of working with security researchers to identify security bugs on our platform. At DigitalOcean, we believe bug bounties are an indispensable tool for improving our security posture, and look forward to continued collaboration with security researchers in the future.
Our current bug bounty program is hosted on Intigriti at: https://app.intigriti.com/programs/digitalocean/digitalocean.
Please use this bug bounty program for all vulnerability communications, and make sure to review the program policy and details before submitting a report.
If for some reason you cannot report a submission to our bounty program, we also accept messages to security@digitalocean.com, and you can encrypt your messages with age if you feel strongly about doing so. We would prefer not to receive any communications using PGP, but a GPG public key is also provided at this link. Please review the program policy at our bug bounty program above for guidance on valid vs. invalid submissions before sending us a message. Note that we cannot reward bounties for email submissions—to be rewarded, you must submit vulnerabilities through the bug bounty program link.
DigitalOcean also receives embargoed security notices from several of our partners. If you are a maintainer of technology used by DigitalOcean and would like to inform us of an issue under embargo, please email us at security@digitalocean.com.
A responsible disclosure program is an important facet of a modern company’s security program. These programs provide a safe, structured method for security researchers to report potential issues to a company’s security team without fear of reprisal or legal action, as long as the research follows the company’s safe harbor guidelines. While it’s best to reward researchers for their time, an unpaid program is still a great way to interact with your security-conscious customers and improve your product, as it provides researchers safety in knowing they will not be prosecuted for good faith reports. While there are exceptions, there are typically two types of bug bounty programs: unpaid “vulnerability disclosure programs,” and paid “bug bounty programs.”
DigitalOcean first opened a private bug bounty program in 2017, with a maximum payment of $2,500 for the highest severity issues. In 2020, we moved our program from Bugcrowd to HackerOne and launched a public, unpaid vulnerability disclosure program alongside a private, paid bug bounty program with higher bounty rewards. This created a safe place for security researchers to report potential issues to our security team while laying out some ground rules.
We received a number of great reports over the years which led to improvements in our products. However, researchers frequently struggled to understand our infrastructure and product suite. To solve for the nuances of our product suite, at the beginning of 2022 we “relaunched” our bounty program with a much more comprehensive program policy and description of our services, which is the current format used today.
We also increased our bounty limits again, moving from fixed, static values to a range per severity tier. We began offering up to $450 for Low issues, up to $1,500 for Medium issues, up to $4,000 for High issues, and up to $8,000 for critical issues, paying researchers as soon as we completed triaging an issue. These program changes had a significant impact on our signal-to-noise ratio, turning ~90% false positives to ~90% true positives. Creating the new, comprehensive program policy made a massive difference! We paid out $63,787 in bounty rewards over the last 12 months and continue to offer these bounty thresholds per severity. We’d like to thank the security researchers who put in their time and effort to look for issues.
The success of our programs to date has largely been due to the consistent effort of our Product and Infrastructure Security teams. Our product security program owns our bug bounty process, including internal handling of issues and scaling our internal tools and processes. Both teams collaborate in triaging our issues. All bounty reports are triaged by a shared cohort after initial validation from Intigriti, our bug bounty vendor, and valid issues move into our internal vulnerability management program, in which unique issues are shared outside the security team as contextual “security debt” (more to come on this program in a future blog post).
As we continued to refine our program, our internal processes, and our collaboration methods with security researchers, we felt we were ready to offer a fully public paid bounty program, which would enable us to simplify our internal governance while retaining a high degree of quality and responsiveness to researchers’ reports. With our new public program, we will continue to offer security researchers a quick and comprehensive experience for reporting issues, and are excited to enable even more people to benefit from finding security bugs on our platform. To our current researchers, thank you for helping us secure DigitalOcean’s simplified cloud computing platform so developers and businesses can spend more time building software that changes the world. We’ll see you in our new program!
Share