Locate a security issue on the Vultr platform, the customer portal, or with our API.
Create a report, including steps to reproduce the bug, and attach additional evidence if needed.
The Vultr.com websites my.vultr.com, www.vultr.com, api.vultr.com are all within scope. The accepted categories include injection attacks, authentication or authorization flaws, cross-site scripting, sensitive data exposure, privilege escalation, and other security issues.
Vultr.com customer instances are not in scope. Many instances have default hostnames or reverse DNS ending in "vultr.com", presence of that does not imply that an IP is in scope. If you have any questions about whether or not something is in scope, please contact us before you take any action.
Any sort of DoS/DDoS attacks are strictly forbidden.
These are generally very noisy and have a very high false positive rate and are not in scope.
Bugs requiring the user to be compromised or to have malicious browser extensions are not in scope.
Vulnerabilities in the operating systems we provide are not in scope unless the issue is directly caused by modifications we have made to it.
Exploits that require the end user to run an outdated or legacy web browser are not in scope.
Please do not submit large volume of support tickets or replies. This can cause delays for other customers with actual problems.
We allow email addresses to be changed with no verification before a user has funded their account or verified their email. Protections around funded or verified accounts are significantly stronger.
The Vultr Marketplace is designed for vendors to deploy vendor provided applications and images. Images provided by and deployed by vendors are out of scope for the Bug Bounty Program.
Issues regarding the creation of multiple user accounts under the same Gmail address with dots added is considered out of scope. Please refer to Google's support article on the subject here.
Reports indicating missing headers (Content-Security-Policy and similar), or DMARC policy suggestions are not in scope.
Reports indicating that EXIF or other metadata are not stripped from ticket attachments are not in scope.
If you find a security vulnerability anywhere on the Vultr platform, it is our priority to work with you to resolve the issue. Our engineering team will promptly review all bug bounty submissions and compensate reporters for the ethical disclosure of verifiable exploits. The level of award is determined based on the severity, complexity, and scope of the exploit.
Reports eligible for compensation will be paid with Vultr account credit or direct to your PayPal address.
A member of the engineering team will review it and contact you shortly.