Cloud computing platform DigitalOcean on Wednesday announced the public availability of its bug bounty program, after successfully running it in private mode.
The same as the private program, the public one was launched in collaboration with Bugcrowd, which provides DigitalOcean with access to a large crowd of researchers and allows it to focus internal resources “on keeping the cloud secure.”
On the program’s page, the company reveals that the bounties available for interested researchers range from $150 to $2,500 per bug, depending on the severity and impact of the discovered flaw. At the moment, the company accepts vulnerabilities found in https://api.digitalocean.com and https://cloud.digitalocean.com.
According to the company, it plans on investigating legitimate reports received through the program and on addressing vulnerabilities as fast as possible. Moreover, DigitalOcean says that it won’t take legal action against (or ask law enforcement to investigate) researchers who comply with a series of straightforward requirements.
Specifically, the company asks researchers to provide it with all the necessary details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC), as well as to make “a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation” of services.
Researchers are also required to avoid accessing or modifying data that does not belong to them, as well as to provide the company with reasonable time to correct the issue before making any information public.
DigitalOcean's public bug bounty program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings, the company also announced.
Researchers interested in the program are encouraged to register for a new account on the company’s website and will receive access to five droplets. They are required to refrain from launching droplets > 1GB of RAM, and to focus on the aforementioned resources, except ticket creation. Vulnerabilities in other applications owned by DigitalOcean aren’t within the scope of the program either.
“Incorporating Bugcrowd's platform into DigitalOcean's overall security strategy has noticeably decreased the window for detecting vulnerabilities in our cloud. Additionally, and in line with our culture of love, we are able to have a more consistent interaction with security researchers through Bugcrowd, and we are able to reward researchers for their hard work!” DigitalOcean Director of Security Nick Vigier said.
The partnership with Bugcrowd, the company says, should provide it with good, consistent communication with researchers, while ensuring their development teams are provided with actionable and validated vulnerabilities. “We are excited to extend our program and continue enjoying the benefits of crowdsourced security testing,” Vigier concluded.
Last year, Bugcrowd’s second annual State of Bug Bounty Report revealed that an increasing number of “traditional” industries are launching bug bounty programs to secure their products and services. Earlier this week, the company revealed a partnership with Qualys to allow joint customers to share vulnerability data across automated web application scanning and crowdsourced bug bounty programs.