Help make the DADI platform
more secure for everyone.

Software security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Programs by Google, Facebook, Mozilla, and others have helped to create a strong bug-hunting community. Our bounty program gives a tip of the hat to these researchers and provides some prizes and cold hard cash for their efforts.

Happy bug hunting! You can find more information in the rules and FAQs. If you’ve found a vulnerability, submit it with HackOne below:

Submit a vulnerability

Rules for you

  • Don’t attempt to gain access to user accounts or user data
  • Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed
  • Don’t publicly disclose a bug before it has been fixed
  • Only test for vulnerabilities on properties and software you know to be operated by DADI and listed under Open bounties. Some products hosted on subdomains of Dadi.tech are operated by third parties and should not be tested
  • Do not impact other users with your testing. We may suspend your DADI account if you do so
  • Don’t use scanners or automated tools to find vulnerabilities. They’re noisy and we may suspend your DADI account
  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure
  • When in doubt, contact us

Rules for us

  • We will respond as quickly as possible to your submission
  • We will keep you updated as we work to fix the bug you submitted
  • We will not take legal action against you if you play by the rules

What does not qualify?

  • Bugs that don’t affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari). Bugs related to browser extensions are also out of scope
  • Bugs requiring exceedingly unlikely user interaction
  • Insecure cookie settings for non-sensitive cookies
  • Disclosure of public information and information that does not present significant risk
  • Bugs that have already been submitted by another user, that we are already aware of, or that have been classified as ineligible
  • Bugs in apps not listed under Open bounties are generally not eligible. Look at individual bounties for details on scope
  • Bugs in content/services/products that are not owned/operated by DADI. This includes our users’ code and third party services operating within our infrastructure
  • Vulnerabilities that DADI determines to be an accepted risk will not be eligible for a paid bounty or listing on the site
  • Scripting or other automation and brute forcing of intended functionality
  • For guidance, we have listed the vulnerability classifications we use to organize submissions made to the Bounty program
  • When in doubt, contact us

Open bounties

DADI API

DADI API is a high performance RESTful API layer designed in support of API-first development and the principle of COPE.

Because API sits at the heart of the DADI platform, security has always been a high priority.

Rewards range from $200 up to $5,000 and are determined at our discretion based on a number of factors.

You can find the app on GitHub and can find the API documentation on our docs site.

DADI CDN

DADI CDN is a JIT asset manipulation and delivery application, providing a complete content distribution solution.

DADI CDN provides content manipulation for many high profile businesses, making security of utmost importance.

Rewards range from $100 up to $2,500 and are determined at our discretion based on a number of factors.

You can find the app on GitHub and can find the CDN documentation on our docs site.

FAQs

How are bounty payments made?

All bounties are currently paid via PayPal.

Can I donate my reward to a charity?

Yes. We know that some of you would prefer your bounty reward go toward helping someone else. If you choose, we will donate your reward to an established charitable organization of your choice. DADI will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of our choosing.

I don’t live in the United Kingdom, or I’m under 18, am I eligible?

Yes, international researchers are eligible. Researchers between 13 and 18 years of age are also eligible, however, those in the United Kingdom will need to provide guardian consent before any payment can be made.

I reported a vulnerability but have not received a response!

Please allow up to 24 hours for an initial response. Also realize that spam filters and email in general can sometimes be problematic. If you ever feel we are not communicating in a timely fashion, definitely let us know.

How is the bounty reward determined?

Our engineering team take many factors into account when determining a reward. These factors include the complexity of successfully exploiting the vulnerability, the potential exposure, as well as the percentage of impacted users and platform layers. Sometimes an otherwise critical vulnerability has a very low impact simply because it is mitigated by some other component, e.g. requires user interaction, an obscure web browser, or would need to be combined with another vulnerability that does not currently exist.

What are points?

In addition to giving researchers money and/or prizes, we are trying to make this fun. We assign a point value to each vulnerability and list it on this site. The researchers with the most points are listed on our leaderboard. While we use many of the same metrics when determining point value as for dollar value, other non-tangible factors are considered as well. For example, if you provide an awesome write-up of a vulnerability with a functional POC, that will be factored in.

What if I do not want my submission published on the bounty website?

Please still send us your vulnerability! We will only publish your submission after your approval. To be visible within the leaderboard you must provide us with a name and your GitHub username. This allows us to link submissions to your Git profile.

What are the legal terms of the Bug Bounty program?

By participating in DADI’s Bug Bounty program (the “Program”), you acknowledge that you have read and agree to DADI’s Terms of Service as well as the following: