To submit a vulnerability report, you need to login with your hunter account.
DataDome Bot Bounty
Online fraud & bot management for mobile apps, websites & APIs
Reward
Program
Avg reward -
Max reward -
Scopes6
Supported languagesEnglish French
Hacktivity
Reports42
1st response < 1 day
Reports last 24h-
Reports last week1
Reports this month1
Program description
The goal of this program is to report ways around DataDome protection by implementing a scraping bot.
DataDome publishes these websites dedicated to researchers:
- bounty-nodejs.datashield.co (documentation on implementation)
- bounty-fastly.datashield.co (documentation on implementation)
- bounty-nginx.datashield.co (documentation on implementation)
The technical challenge consists of scraping as much content as possible without being blocked by DataDome protection:
- Minimum scenario: scraping content should be: 20000 web pages in less than an hour.
- Medium scenario: 20000 web pages scraped in 30 minutes
- High scenario: 20000 web pages scraped in 10 minutes
- Critical scenario: 20000 web pages scraped in less than 1 minute
The report should contain:
- A basic explanation of the attack vector used.
- The code to reproduce the scraping scenario
- The IP(s) used during the attack
- The scraped content (hashes from the scraped pages) and HTTP requests return code (must be
200) - The scraping speed (in hits per sec.)
The report will be classified as a duplicate if a previous report generated the same code fix.
Reward
| Asset value | CVSS | CVSS | CVSS | CVSS |
|---|---|---|---|---|
| €200 | €800 | €2,000 | €5,000 |
Scopes
| Scope | Type | Asset value | Expand rewards grid |
|---|---|---|---|
| https://bounty-nodejs.datashield.co | Web application | ||
Low Medium High Critical | |||
| https://bounty-fastly.datashield.co | Web application | ||
Low Medium High Critical | |||
| https://bounty-nginx.datashield.co | Web application | ||
Low Medium High Critical | |||
| *.captcha-delivery.com | Web application | ||
Low Medium High Critical | |||
| js.datadome.co | Web application | ||
Low Medium High Critical | |||
| api-js.datadome.co | API | ||
Low Medium High Critical | |||
Out of scopes
- Distributed attacks (scraping must be done using only 1 IP at a time).
Vulnerability types
Qualifying vulnerabilities
- Program is only focused on client-side vulnerabilities or DataDome Bot Protection bypass.
Non-qualifying vulnerabilities
- Denial of service attacks
- Social engineering of DataDome employees and contractors
- Site vulnerabilities
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.
