What is the scope of the
bug bounty program?
The following Vultr websites are within the scope of this program:
Accepted categories include, but are not limited to:
- Injection Attacks
- Authentication or Authorization Flaws
- Cross-Site Scripting (XSS)
- Sensitive Data Exposure
- Privilege Escalation
What issues are out of scope?
Customer Instances
Vulnerabilities in customer-provided content or configurations.
DoS and DDoS Attacks
Due to potential service disruption, these are not tested here.
Automated Scan Reports
These lack the depth required for actionable insights.
Prior Compromise Required
Issues needing prior user compromise are out of scope.
Legacy Browsers
Vulnerabilities requiring outdated browsers are excluded.
Unverified Email Changes
Issues with email changes before account verification.
Marketplace Products
Managed by vendors, these are not within our program.
Gmail Address Characters
Reports involving '+' or '.' in Gmail addresses are excluded.
ISO Image Exploits
Vulnerabilities in Vultr provided ISO images are not considered.
Missing Security Headers
These are beyond the current scope.
Metadata in Support Tickets
Not applicable to this program.
Program Details
VRT System:
- We use Bugcrowd's Vulnerability Rating Taxonomy (VRT) for assessment. Learn more
- Only P4-P1 rated issues are eligible for payouts.
- P5 issues can be reported but will not receive compensation.
Payout Tiers:
- P4: $50 - 300
- P3: $300 - 500
- P2: $500 - 1000
- P1: $1000 - 10000
How it Works
Submission Guidelines:
- Provide a clear Proof of Concept (PoC) demonstrating the vulnerability.
- Include an impact statement explaining and demonstrating potential effects.
- For videos, please post them as unlisted on platforms like YouTube or Google Drive. The file size limit in our ticketing system is only a few Megabytes.
Steps to Participate:
- Identify a vulnerability within the scope.
- Submit via our designated channel with required details.
- Await assessment by our security team.
Other Policies:
- Confidentiality: Do not disclose vulnerabilities publicly before resolution.
- Terms of Service: Ensure activities comply with Vultr's TOS and all applicable laws.
- By participating, you agree to these terms. We reserve the right to modify this policy as needed.
Report an issue
Thank you for your contribution to Vultr's security!
We have received your bug report.
A member of the engineering team will review it and contact you shortly.