DataDome Bug Bounty Program
Scope
The scope of the bug bounty is:
| Function | Domain |
|---|
| Customer Dashboard | app.datadome.co |
| Customer Dashboard - API | api-app.datadome.co |
| Customer API | customer-api.datadome.co |
| Java Script | js.datadome.co |
| Captcha | *.captcha-delivery.com |
| Server Site API used by modules | api.datadome.co |
| Client Side API used by JS or SDK | api-js.datadome.co |
| Corporate Site | datadome.co or www.datadome.co |
| Server-Side modules (in customer infrastructure) | docs.datadome.co |
| Authentication | auth.datadome.co |
You can find all the information you need about DataDome on https://docs.datadome.co/docs
Out of Scope:
- readme.com third-party is out of scope
- auth.datadome.co is managed by Auth0 Third-Party; only DataDome direct vulnerability will be rewarded
- All domains not listed in-scope
- Third-party widgets on www.datadome.co and app.datadome.co
Important Notice:
This is a production environment. No data alterations are allowed inside DataDome infrastructure or on DataDome customer Cloud infrastructure. You must not affect the availability of the platform.
Testing Policy and Responsible Disclosure
Please adhere to the following rules while performing research on this program:
- Denial of service (DoS) attacks on DataDome applications, servers, networks or infrastructure are strictly forbidden.
- Avoid tests that could cause degradation or interruption of our services.
- Do not use automated scanners or tools that generate a large amount of network traffic.
- Only perform tests against your own accounts to protect our users' privacy.
- Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
- Do not copy any files from our applications/servers and disclose them.
- No vulnerability disclosure, full, partial or otherwise, is allowed.
Proof of Exploitation
- Raw HTTP requests and responses are mandatory for every report. For each step of the exploit chain, you must provide the full request and response captured via Burp Suite, OWASP ZAP, curl, or any equivalent tool. This includes the method, endpoint, relevant headers, request body, status code, and response body confirming the impact. You may redact session cookies and any data not relevant to the vulnerability. Reports missing this evidence will be triaged as "Incomplete" until provided.
- Provide clear, step-by-step reproduction instructions with all necessary payloads, parameters, and commands.
- Screenshots showing the final impact are strongly appreciated.
- A PoC video demonstrating the full exploit chain is a welcome bonus.
Vulnerability Types
Qualifying Vulnerabilities
- Broken Authentication and Session Management
- Cross-Site Scripting (XSS), Cross-site Request Forgery (CSRF), Server-Side Request Forgery (SSRF)
- SQL Injection
- Remote Code Execution (RCE)
- Directory Traversal Issues / Local File Disclosure
- Breach in the multi-tenant system (e.g., Sensitive Data Exposure)
- Security Misconfiguration
- Missing Function Level Access Control
Non-Qualifying Vulnerabilities
- Any hypothetical flaw or best practices without exploitable POC
- Unverified results of automated tools or scanners
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- Mixed content warnings
- Vulnerabilities that are already publicly known or variations of such
- Vulnerabilities on other products or services than listed above
- Issues in DNS, NTP or SMTP
- DNS Dangling or SubDomain takeover without a real exploitable POC
- Clickjacking/UI redressing
- Software version disclosure without a real exploitable POC
- Stack traces or path disclosure without a real exploitable POC
- Vulnerabilities affecting outdated browsers or platforms
- Issues that require physical access to a victim's computer/device
- Logout and other instances of low-severity Cross-Site Request Forgery
- Issues not leading to a confidentiality, traceability or integrity problem
- Bot detection capability
- Brute-force attack
- DataDome cookie doesn't have the secure flag
- Using old TLS configuration on "Protection API" (needed for retro-compatibility with DataDome module installed)
- Social engineering of DataDome employees and contractors
- Attack against DataDome office (malware, backdoor, DoS, …)
- Denial of service attacks
- DMARC vulnerabilities on datadome.co mail
- CSV injection vulnerabilities
- 3rd parties security issues (Auth0, Readme.com...)
Reward Structure
| Asset Value | CVSS Low | CVSS Medium | CVSS High | CVSS Critical |
|---|
| Critical | €50 | €300 | €1,000 | €3,000 |
| High | €50 | €200 | €500 | €1,000 |
Systemic Issues Reward Reduction
| Report Number | Reward Percentage |
|---|
| 1st report | 100% |
| 2nd report | 100% |
| 3rd report | 75% |
| 4th report | 50% |
| 5th report | 25% |
| 6th+ report | 10% |
Reward Eligibility
We are happy to thank everyone who submits valid reports which help us improve the security of DataDome. However, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability (see Vulnerability Types section above).
- The report must contain the following elements:
- Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and DataDome, and remediation advice on fixing the vulnerability.
- You must not break any of the testing policy rules listed above.
- You must not be a former or current employee of DataDome or one of its contractors.
Our security team will review each committed finding and establish communication as soon as possible to reproduce and solve the reported vulnerability. Please allow 5 working days for our initial response. We ask you to make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.
Hunting Requirements
Account Access
You can get a trial account that will give you legitimate access to our API by going to https://datadome.co/free-signup/.
DataDome Documentation is available at: https://docs.datadome.co/docs/getting-started
You must use your Yeswehack alias (@yeswehack.ninja) as an email to signup.
Please put in "Website to Protect": bugbounty.datadome.co
Once the setup panel is displayed in the Dashboard, you can retrieve the server key and client key and send traffic to the following APIs:
curl 'https://api.datadome.co/validate-request/' --data RequestModuleName=yeswehack --data ModuleVersion=1 --data IP=0.0.0.0 --data Request=/ --data Key=YOUR-SERVER-API-KEY
curl 'https://api-js.datadome.co/js/' --data-raw 'ddk=YOUR-CLIENT-KEY'
Documentation: https://docs.datadome.co/reference
Hunters Collaboration
When submitting a new report, you can add up to 5 collaborators and define the reward split ratio. Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.