Skip to main content

Vulnerability Reward Program

We have long enjoyed a close relationship with the security research community. To honor all the cutting-edge external contributions that help us keep our users safe, we maintain a Vulnerability Reward Program for DoiT-owned web properties.

General Guidelines

  • By participating in this program, you agree not to discuss or otherwise disclose your ongoing work under this program or any vulnerabilities with parties outside the program without explicit consent from DoiT, except as provided below.

  • Our vulnerability program prioritizes findings that clearly demonstrate a genuine impact on the confidentiality and integrity of our systems, users, or data. Reports without a measurable business impact will not be eligible for consideration and will be classified as "Not Valid".

  • Vulnerability reports that do not include careful manual validation, such as reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability, will be automatically closed as "Not Applicable".

  • Sensitive information is considered as user credentials, information stored within our databases, DoiT and its customers' personally identifiable information and business information, private API keys and authentication tokens.

  • Submissions demonstrating deep understanding, innovative exploitation techniques, and strategic impact analysis will likely qualify for higher rewards.

  • DoiT employs comprehensive vulnerability scanning tools to continuously identify and mitigate known security vulnerabilities. Due to the extensive use of these scanners, vulnerabilities that can be readily identified by standard scanning tools may already be known to our security team. We may respond to reports by indicating that we already know the reported vulnerability.

  • Collect only the necessary information to demonstrate the vulnerability. Do not conduct any escalation processes.

Vulnerabilities in Third-Party Systems

Scope of Responsibility

DoiT utilizes various third-party tools and software to support its operations and services. While these tools are integral to our workflow, it is essential to clarify that our vulnerability bounty program does not cover vulnerabilities found directly within these third-party products.

Many vendors have vulnerability disclosure or bounty programs specifically designed to handle vulnerability reports.

Guidelines for Reporting Third-Party Vulnerabilities

  • We support the responsible disclosure of vulnerabilities directly to the affected vendors, allowing them the opportunity to address and remediate issues in a manner that best protects their users. This approach aligns with our commitment to enhancing the overall security ecosystem.

  • In cases where a vulnerability in a third-party tool impacts our systems or data, we encourage researchers to collaborate with us and the vendor to ensure a coordinated disclosure process. This ensures that appropriate mitigations can be implemented effectively across all affected parties, thereby minimizing potential harm.

  • Our security team can provide contact information for the vendor's security or support team to facilitate the reporting process.

Acknowledgment

While vulnerabilities within third-party tools may not be eligible for rewards from our program, we recognize the importance of these findings in maintaining a secure cyber environment and encourage researchers to engage directly with vendors for the broader benefit of the community

Services in scope

In principle, any DoiT-owned web service that handles reasonably sensitive user data is intended to be in scope. This includes virtually all the content in the following domains. Generally, bugs in DoiT Platform, including Flexsave will also qualify.

  • *.doit.com
  • *.doit-intl.com

On the flip side, the program has two important exclusions to keep in mind:

  • Third-party sites. Our vendors or partners may operate some DoiT-branded services hosted in less common domains. We can't authorize you to test these systems on behalf of their owners and will not reward such reports. Please read the fine print on the page and examine domain and IP WHOIS records to confirm. If in doubt, talk to us first!

  • Recent acquisitions. To allow internal review and remediation time, newly acquired companies are subject to a 12-month blackout period. Bugs reported sooner than that will typically not qualify for a reward.

Qualifying vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data will likely be in the program's scope. Common examples include:

  • Cross-site scripting,
  • Cross-site request forgery,
  • Mixed-content scripts,
  • Authentication or authorization flaws,
  • Server-side code execution bugs.

Note that the program's scope is limited to technical vulnerabilities in DoiT-owned browser extensions, mobile and web applications; please do not try to sneak into DoiT-owned real estate properties, attempt phishing attacks against our employees, etc.

Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, leverage black hat SEO techniques, spam people, or do other similarly questionable tactics. We also discourage the use of any vulnerability testing tools that automatically generate very significant volumes of traffic.

Non-qualifying vulnerabilities

Depending on their impact, some of the reported issues may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues that typically do not earn a monetary reward:

  • Vulnerabilities in *.bc.googleusercontent.com or *.appspot.com. These domains are used to host many of our applications that belong to Google Cloud Platform. The Vulnerability Reward Program does not authorize the testing of Google Cloud Platform.

  • Cross-site scripting vulnerabilities in "sandbox" domains. We have a number of domains that leverage the same-origin policy to safely isolate certain types of untrusted content; the most prominent example is *.googleusercontent.com. Unless an impact on sensitive user data can be demonstrated, we do not consider the ability to execute JavaScript in that domain a bug.

  • URL redirection. We recognize that the address bar is the only reliable security indicator in modern browsers; consequently, we hold that the usability and security benefits of a small number of well-designed and closely monitored redirectors outweigh their true risks.

  • Legitimate content proxying and framing. We expect our services to label third-party content unambiguously and to perform a number of abuse-detection checks.

  • Bugs requiring exceedingly unlikely user interaction. For example, a cross-site scripting flaw that needs the victim to manually type in an XSS payload into DoiT Platform and then double-click an error message may realistically not meet the bar.

  • Logout cross-site request forgery. For better or worse, the design of HTTP cookies means that no single site can prevent its users from being logged out; consequently, application-specific ways of achieving this goal will likely not qualify. You may be interested in personal blog posts from Chris Evans and Michal Zalewski for more background.

  • Flaws affecting the users of out-of-date browsers and plugins. The security model of the web is constantly being fine-tuned. The panel typically does not reward reports that describe issues that affect only the users of outdated or unpatched browsers.

  • Presence of banner or version information. Version information does not, by itself, expose the service to attacks; therefore, we do not consider it a bug. That said, if you find outdated software and have good reasons to suspect that it poses a well-defined security risk, please let us know.

  • Email spoofing. We are aware of the risk presented by spoofed messages and are taking steps to ensure that our Gmail filters can effectively deal with such attacks.

  • User enumeration. Reports outlining user enumeration are not within scope unless you can demonstrate that we don't have any rate limits in place to protect our users.

Reward amounts (bounty) for security vulnerabilities

Severity LevelVulnerability TypeReward RangeComments
CriticalRemote code execution, System access$5,000 - $10,000Direct impact on system integrity, data confidentiality, or availability.
HighSQL injection, Significant data breach$2,500 - $4,999High impact on system performance or sensitive data exposure.
MediumCross-site scripting, Moderate data breach$1,000 - $2,499Limited impact on system or data, requiring specific conditions.
LowInformation disclosure, Minor data breach$100 - $999Minimal impact, often requiring extensive user interaction.
  • Critical vulnerabilities allow an attacker to fully control the system, access sensitive data, or compromise the system's integrity and availability directly.

  • High-severity vulnerabilities significantly impact the system's confidentiality, integrity, or availability but may not directly lead to system control.

  • Medium-severity vulnerabilities affect the system's security but are less likely to be exploited due to the complexity or specific conditions required.

  • Low-severity vulnerabilities have a minimal impact and are unlikely to be exploited significantly.

Investigating and reporting bugs

When investigating a vulnerability, please only ever target your own accounts. Never attempt to access anyone else's data, and do not engage in any activity that would be disruptive or damaging to your fellow users or DoiT.

Want to get involved? Please email us to report the vulnerability and include steps to reproduce it.

Note that we are only able to answer technical vulnerability reports. Non-security bugs and queries about problems with your account should instead be directed to our Help Center, Trust Center, or Support.

We are unable to issue rewards to individuals on sanctions lists or who are in countries (e.g., Cuba, Russia, Iran, North Korea, Syria, Crimea, and the so-called Donetsk People's Republic and Luhansk People's Republic) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. Depending upon your local law, there may be additional restrictions on your ability to enter.

This is not a competition but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time, and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Of course, your testing must not violate any law or disrupt or compromise any data that is not yours.