Skip to main content

Vulnerability Reward Program (VRP)

We have long enjoyed a close relationship with the security research community. To honor all the cutting-edge external contributions that help us keep our users safe, we maintain a Vulnerability Reward Program for DoiT-owned web properties.

Services in scope

In principle, any DoiT-owned web service that handles reasonably sensitive user data is intended to be in scope. This includes virtually all the content in the following domains. Generally, bugs in DoiT Platform, including Flexsave will also qualify.

  • *.doit.com
  • *.doit-intl.com

On the flip side, the program has two important exclusions to keep in mind:

  • Third-party websites. Some DoiT-branded services hosted in less common domains may be operated by our vendors or partners. We can't authorize you to test these systems on behalf of their owners and will not reward such reports. Please read the fine print on the page and examine domain and IP WHOIS records to confirm. If in doubt, talk to us first!

  • Recent acquisitions. To allow time for internal review and remediation, newly acquired companies are subject to a 12-month blackout period. Bugs reported sooner than that will typically not qualify for a reward.

Qualifying vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:

  • Cross-site scripting,
  • Cross-site request forgery,
  • Mixed-content scripts,
  • Authentication or authorization flaws,
  • Server-side code execution bugs.

Note that the scope of the program is limited to technical vulnerabilities in DoiT-owned browser extensions, mobile, and web applications; please do not try to sneak into DoiT-owned real estate properties, attempt phishing attacks against our employees, and so on.

Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, leverage black hat SEO techniques, spam people, or do other similarly questionable tactics. We also discourage the use of any vulnerability testing tools that automatically generate very significant volumes of traffic.

Non-qualifying vulnerabilities

Depending on their impact, some of the reported issues may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues that typically do not earn a monetary reward:

  • Vulnerabilities in *.bc.googleusercontent.com or *.appspot.com. These domains are used to host many of our applications that belong to Google Cloud Platform. The Vulnerability Reward Program does not authorize the testing of Google Cloud Platform.

  • Cross-site scripting vulnerabilities in "sandbox" domains. We have a number of domains that leverage the same-origin policy to safely isolate certain types of untrusted content; the most prominent example of this is *.googleusercontent.com. Unless an impact on sensitive user data can be demonstrated, we do not consider the ability to execute JavaScript in that domain to be a bug.

  • URL redirection. We recognize that the address bar is the only reliable security indicator in modern browsers; consequently, we hold that the usability and security benefits of a small number of well-designed and closely monitored redirectors outweigh their true risks.

  • Legitimate content proxying and framing. We expect our services to unambiguously label third-party content and to perform a number of abuse-detection checks.

  • Bugs requiring exceedingly unlikely user interaction. For example, a cross-site scripting flaw that requires the victim to manually type in an XSS payload into DoiT Platform and then double-click an error message may realistically not meet the bar.

  • Logout cross-site request forgery. For better or worse, the design of HTTP cookies means that no single website can prevent its users from being logged out; consequently, application-specific ways of achieving this goal will likely not qualify. You may be interested in personal blog posts from Chris Evans and Michal Zalewski for more background.

  • Flaws affecting the users of out-of-date browsers and plugins. The security model of the web is constantly being fine-tuned. The panel typically does not reward reports that describe issues that affect only the users of outdated or unpatched browsers.

  • Presence of banner or version information. Version information does not, by itself, expose the service to attacks, therefore, we do not consider it a bug. That said, if you find outdated software and have good reasons to suspect that it poses a well-defined security risk, please let us know.

  • Email spoofing. We are aware of the risk presented by spoofed messages and are taking steps to ensure that our Gmail filters can effectively deal with such attacks.

  • User enumeration. Reports outlining user enumeration are not within scope unless you can demonstrate that we don't have any rate limits in place to protect our users.

Reward amounts for security vulnerabilities

CategoryExamplesReward
Remote code executionCommand injection, deserialization bugs, sandbox escapes$10,000
Unrestricted file system or database accessUnsandboxed XXE, SQL injection$5,000
Logic flaw bugs leaking or bypassing significant security controlsDirect object reference, remote user impersonation$5,000
Execute code on the clientCross-site scripting$2,500
Other valid security vulnerabilitiesCSRF, Clickjacking$3,500

Investigating and reporting bugs

When investigating a vulnerability, please, only ever target your own accounts. Never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to your fellow users or to DoiT.

Want to get involved? Here's how:

  1. Go to bugcrowd.com and set up an account.

  2. Read the documentation on the DoiT Bugcrowd profile.

  3. Read the AgileBits Bugcrowd brief to find additional documentation on APIs, hints about the location of some of the flags, and other resources, as well as the Burp Suite plugin.

Get started!

Note that we are only able to answer to technical vulnerability reports. Non-security bugs and queries about problems with your account should be instead directed to Google Help Centers.

We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g., Cuba, Russia, Iran, North Korea, Syria, Crimea, and the so-called Donetsk People's Republic and Luhansk People's Republic) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.