To submit a vulnerability report, you need to login with your hunter account.
DataDome Bot Bounty
Online fraud & bot management for mobile apps, websites & APIs
Reward
Program
Avg reward -
Max reward -
Scopes6
Supported languagesEnglish French
Hacktivity
Reports45
1st response < 3 days
Reports last 24h-
Reports last week1
Reports this month-
Program description
The goal of this program is to report ways around DataDome protection by implementing a scraping bot.
DataDome publishes these websites dedicated to researchers:
- bounty-nodejs.datashield.co (documentation on implementation)
- bounty-fastly.datashield.co (documentation on implementation)
- bounty-nginx.datashield.co (documentation on implementation)
The technical challenge consists of scraping as much content as possible without being blocked by DataDome protection:
- Minimum scenario: scraping content should be: 20000 web pages in less than an hour.
- Medium scenario: 20000 web pages scraped in 30 minutes
- High scenario: 20000 web pages scraped in 10 minutes
- Critical scenario: 20000 web pages scraped in less than 1 minute
The report should contain:
-
A basic explanation of the attack vector used.
-
The code to reproduce the scraping scenario
-
The IP(s) used during the attack
-
The scraped content in the form of hashes contained in the page from the scraped pages (not hashes of the raw HTML files themselves) and HTTP requests return code (must be
200)
-
The scraping speed (in hits per sec.)
The report will be classified as a duplicate if a previous report generated the same code fix
Reward
| Asset value | CVSS | CVSS | CVSS | CVSS |
|---|---|---|---|---|
| €200 | €800 | €2,000 | €5,000 |
Scopes
| Scope | Type | Asset value | Expand rewards grid |
|---|---|---|---|
https://bounty-nodejs.datashield.co | Web application | ||
Low Medium High Critical | |||
https://bounty-fastly.datashield.co | Web application | ||
Low Medium High Critical | |||
https://bounty-nginx.datashield.co | Web application | ||
Low Medium High Critical | |||
*.captcha-delivery.com | Web application | ||
Low Medium High Critical | |||
js.datadome.co | Web application | ||
Low Medium High Critical | |||
api-js.datadome.co | API | ||
Low Medium High Critical | |||
Out of scopes
- Distributed attacks (scraping must be done using only 1 IP at a time).
Vulnerability types
Qualifying vulnerabilities
- Program is only focused on client-side vulnerabilities or DataDome Bot Protection bypass.
Non-qualifying vulnerabilities
- Denial of service attacks
- Social engineering of DataDome employees and contractors
- Site vulnerabilities
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.