avatar
Bug bounty
Public

DataDome Bot Bounty

Online fraud & bot management for mobile apps, websites & APIs

Reward

Bounty
€200
Low
€200
Medium
€800
High
€2,000
Critical
€5,000

Program

Avg reward
-
Max reward
-
Scopes
6

Supported languages
English
French

Hacktivity

Reports
27
1st response
< 1 day
Reports last 24h
-
Reports last week
-
Reports this month
-

The goal of this program is to report ways around DataDome protection by implementing a scraping bot.

DataDome publishes these websites dedicated to researchers:

The technical challenge consists of scraping as much content as possible without being blocked by DataDome protection:

  • Minimum scenario: scraping content should be: 20000 web pages in less than an hour.
  • Medium scenario: 20000 web pages scraped in 30 minutes
  • High scenario: 20000 web pages scraped in 10 minutes
  • Critical scenario: 20000 web pages scraped in less than 1 minute

The report should contain:

  • A basic explanation of the attack vector used.
  • The code to reproduce the scraping scenario
  • The IP(s) used during the attack
  • The scraped content (hashes from the scraped pages) and HTTP requests return code (must be 200)
  • The scraping speed (in hits per sec.)

The report will be classified as a duplicate if a previous report generated the same code fix.


Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
High
€200€800€2,000€5,000

Scopes

ScopeTypeAsset value
https://bounty-nodejs.datashield.co web-application
High
Low
€200
Medium
€800
High
€2,000
Critical
€5,000
https://bounty-fastly.datashield.co web-application
High
Low
€200
Medium
€800
High
€2,000
Critical
€5,000
https://bounty-nginx.datashield.co web-application
High
Low
€200
Medium
€800
High
€2,000
Critical
€5,000
*.captcha-delivery.com web-application
High
Low
€200
Medium
€800
High
€2,000
Critical
€5,000
js.datadome.co web-application
High
Low
€200
Medium
€800
High
€2,000
Critical
€5,000
api-js.datadome.co api
High
Low
€200
Medium
€800
High
€2,000
Critical
€5,000

Out of scopes

  • Distributed attacks (scraping must be done using only 1 IP at a time).

Vulnerability types

Qualifying vulnerabilities

  • Program is only focused on client-side vulnerabilities or DataDome Bot Protection bypass.

Non-qualifying vulnerabilities

  • Denial of service attacks
  • Social engineering of DataDome employees and contractors
  • Site vulnerabilities

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.