avatar
Bug bounty
Public

DataDome Bug Bounty

Online fraud & bot management for mobile apps, websites & APIs

Reward

Bounty
€50
Low
€50
Medium
€300
High
€1,000
Critical
€3,000

Program

Avg reward
-
Max reward
-
Scopes
8

Supported languages
English
French

Hacktivity

Reports
255
1st response
< 3 days
Reports last 24h
-
Reports last week
1
Reports this month
2

Scope

The scope of the bug bounty is :

Function Domain
Customer Dashboard app.datadome.co
Customer API customer-api.datadome.co
Java Script js.datadome.co
Captcha *.captcha-delivery.co
Server Site API used by modules api.datadome.co
Client Side API used by JS or SDK api-js.datadome.co
Corporate Site datadome.co or www.datadome.co
Server-Side modules (in customer infrastructure) docs.datadome.co
Authentication auth.datadome.co

You can find all the information you need about DataDome on https://docs.datadome.co/docs
readme.com third-party is out of scope

auth.datadome.co is managed by Auth0 Third-Party, only DataDome direct vulnerability will be rewarded

Keep in mind this is a production environment, no data alterations are allowed inside DataDome infrastructure or on DataDome customer Cloud infrastructure, and, therefore, you must not affect the availability of the platform.

Testing Policy and Responsible Disclosure

Please adhere to the following rules while performing research on this program:

  • Denial of service (DoS) attacks on DataDome applications, servers, networks or infrastructure are strictly forbidden.
  • Avoid tests that could cause degradation or interruption of our services.
  • Do not use automated scanners or tools that generate a large amount of network traffic.
  • Only perform tests against your own accounts to protect our users' privacy.
  • Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
  • Do not copy any files from our applications/servers and disclose them.
  • No vulnerability disclosure, full, partial or otherwise, is allowed.

Reward Eligibility

We are happy to thank everyone who submits valid reports which help us improve the security of DataDome, however only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below).
  • The report must contain the following elements:
  • Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and DataDome, and remediation advice on fixing the vulnerability.
  • Proof of exploitation: screenshots and/or videos demonstrating the exploit was performed, and showing the final impact.
  • Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
  • You must not break any of the testing policy rules listed above
  • You must not be a former or current employee of DataDome or one of its contractors.

Our security team will review each committed finding and establish communication as soon as possible to reproduce and solve the reported vulnerability. Please allow 5 working days for our initial response. We ask you to make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.


Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
Critical
€50€300€1,000€3,000
High
€50€200€500€1,000

Scopes

ScopeTypeAsset value
https://app.datadome.co web-application
Critical
Low
€50
Medium
€300
High
€1,000
Critical
€3,000
https://customer-api.datadome.co api
Critical
Low
€50
Medium
€300
High
€1,000
Critical
€3,000
https://api.datadome.co api
Critical
Low
€50
Medium
€300
High
€1,000
Critical
€3,000
https://api-js.datadome.co api
Critical
Low
€50
Medium
€300
High
€1,000
Critical
€3,000
https://*.captcha-delivery.com web-application
Critical
Low
€50
Medium
€300
High
€1,000
Critical
€3,000
https://auth.datadome.co web-application
Critical
Low
€50
Medium
€300
High
€1,000
Critical
€3,000
https://datadome.co web-application
High
Low
€50
Medium
€200
High
€500
Critical
€1,000
https://bot-tester.datadome.co/ web-application
High
Low
€50
Medium
€200
High
€500
Critical
€1,000

Out of scopes

  • All domains not listed In-Scope
  • Third-party widgets on www.datadome.co and app.datadome.co

Vulnerability types

Qualifying vulnerabilities

  • Broken Authentication and Session Management
  • Cross-Site Scripting (XSS), Cross-site Request Forgery (CSRF), Server-Side Request Forgery (SSRF)
  • SQL Injection
  • Remote Code Execution (RCE)
  • Directory Traversal Issues / Local File Disclosure
  • Breach in the multi-tenant system (eg : Sensitive Data Exposure)
  • Security Misconfiguration
  • Missing Function Level Access Control

Non-qualifying vulnerabilities

  • Any hypothetical flaw or best practices without exploitable POC
  • Unverified results of automated tools or scanners
  • Missing security-related HTTP headers which do not lead directly to a vulnerability
  • Mixed content warnings
  • Vulnerabilities that are already publicly known or variations of such
  • Vulnerabilities on other products or services than listed above
  • Issues in our DNS, NTP or SMTP
  • DNS Dangling or SubDomain takeover without a real exploitable POC
  • Clickjacking/UI redressing
  • Software version disclosure without a real exploitable POC
  • Stack traces or path disclosure without a real exploitable POC
  • Vulnerabilities affecting outdated browsers or platforms
  • Issues that require physical access to a victim’s computer/device
  • Logout and other instances of low-severity Cross-Site Request Forgery
  • Issues not leading to a confidentiality, traceability or integrity problem. You can report it to support@datadome.co This can help you to have a better experience and help you in your research
  • Bot detection capability
  • Brute-force attack
  • DataDome cookie doesn't have the secure flag
  • Using old TLS configuration on "Protection API" (needed for retro-compatibility with DataDome module installed)
  • Social engineering of DataDome employees and contractors
  • Attack against DataDome office (malware, backdoor, DoS, …)
  • Denial of service attacks
  • DMARC vulnerabilities on datadome.co mail
  • CSV injection vulnerabilities
  • 3rd parties security issues (Auth0, Readme.com...)

Hunting requirements

Account access

You can get a trial account that will give you a legit access to our API by going to the address https://datadome.co/free-signup/.

DataDome Documentation is here: https://docs.datadome.co/docs/getting-started

You must use your Yeswehack alias (@yeswehack.ninja) as an e-mail to signup.

Please put in "Website to Protect": bugbounty.datadome.co

Once the setup panel is displayed in the Dashboard, you can retrieve the server key and client key and you must send traffic to 2 API:

curl 'https://api.datadome.co/validate-request/' --data RequestModuleName=yeswehack --data ModuleVersion=1  --data IP=0.0.0.0 --data Request=/ --data Key=YOUR-SERVER-API-KEY

curl 'https://api-js.datadome.co/js/' --data-raw 'ddk=YOUR-CLIENT-KEY'

Doc: https://docs.datadome.co/reference


Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.