DataDome Bot Bounty
Online fraud & bot management for mobile apps, websites & APIs
Reward
Program
Avg reward -
Max reward -
Scopes6
Supported languagesEnglish French
Hacktivity
Reports27
1st response < 1 day
Reports last 24h-
Reports last week-
Reports this month-
The goal of this program is to report ways around DataDome protection by implementing a scraping bot.
DataDome publishes these websites dedicated to researchers:
- bounty-nodejs.datashield.co (documentation on implementation)
- bounty-fastly.datashield.co (documentation on implementation)
- bounty-nginx.datashield.co (documentation on implementation)
The technical challenge consists of scraping as much content as possible without being blocked by DataDome protection:
- Minimum scenario: scraping content should be: 20000 web pages in less than an hour.
- Medium scenario: 20000 web pages scraped in 30 minutes
- High scenario: 20000 web pages scraped in 10 minutes
- Critical scenario: 20000 web pages scraped in less than 1 minute
The report should contain:
- A basic explanation of the attack vector used.
- The code to reproduce the scraping scenario
- The IP(s) used during the attack
- The scraped content (hashes from the scraped pages) and HTTP requests return code (must be
200
) - The scraping speed (in hits per sec.)
The report will be classified as a duplicate if a previous report generated the same code fix.
Reward
Asset value | CVSS | CVSS | CVSS | CVSS |
---|---|---|---|---|
€200 | €800 | €2,000 | €5,000 |
Scopes
Scope | Type | Asset value | Expand rewards grid |
---|---|---|---|
https://bounty-nodejs.datashield.co | web-application | ||
Low Medium High Critical | |||
https://bounty-fastly.datashield.co | web-application | ||
Low Medium High Critical | |||
https://bounty-nginx.datashield.co | web-application | ||
Low Medium High Critical | |||
*.captcha-delivery.com | web-application | ||
Low Medium High Critical | |||
js.datadome.co | web-application | ||
Low Medium High Critical | |||
api-js.datadome.co | api | ||
Low Medium High Critical |
Out of scopes
- Distributed attacks (scraping must be done using only 1 IP at a time).
Vulnerability types
Qualifying vulnerabilities
- Program is only focused on client-side vulnerabilities or DataDome Bot Protection bypass.
Non-qualifying vulnerabilities
- Denial of service attacks
- Social engineering of DataDome employees and contractors
- Site vulnerabilities
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.