What is the scope of the bug bounty program?

The Vultr.com websites my.vultr.com, www.vultr.com, api.vultr.com, docs.vultr.com, creators.vultr.community are all within scope. The accepted categories include injection attacks, authentication or authorization flaws, cross-site scripting, sensitive data exposure, privilege escalation, and other security issues.

What issues are out of scope?

Customer Instances

Vultr.com customer instances are not in scope. Many instances have default hostnames or reverse DNS ending in "vultr.com", presence of that does not imply that an IP is in scope. If you have any questions about whether or not something is in scope, please contact us before you take any action.

Report an issue

If you find a security vulnerability anywhere on the Vultr platform, it is our priority to work with you to resolve the issue. Our engineering team will promptly review all bug bounty submissions and compensate reporters for the ethical disclosure of verifiable exploits. The level of award is determined based on the severity, complexity, and scope of the exploit.

Reports eligible for compensation will be paid with Vultr account credit or direct to your PayPal address.

Injection Flaw

Broken Authentication

Cross Site Scripting

Data Exposure

Privilege Escalation

Other