Help make the DADI platform
more secure for everyone.

It is increasingly common for software companies to engage with development communities to unearth any vulnerabilities – and programs such as those by Google, Facebook and Mozilla have helped with this cause. Our bounty program follows these principles and brings financial rewards to those who find issues.

Happy hunting! Find more information in our rules and FAQs below. If you’ve found a what looks like a vulnerability, submit it with HackrOne below:

Submit a vulnerability

You must not

  • Attempt to access to user accounts or user data
  • Share publicly any bug you discover until it has been fixed
  • Test for vulnerabilities on properties and software not listed under Open bounties. Some products hosted on subdomains of are operated by third parties and must not be tested
  • Impact other users. Your DADI account may be suspended if you do so
  • Carry out any attack that may harm the reliability/integrity of our services or data. DDoS/spam attacks are strictly forbidden
  • Use scanners or automated tools, again we may suspend your DADI account
  • Try any non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure
  • When in doubt, contact us

We will

  • Respond to your submission as soon as we can
  • Keep you updated on our progress in fixing the bug you submitted
  • Not take legal action against you if you have followed the rules
  • Answer any questions you have via our contact page

Things to bear in mind

  • We are only interested in bugs that affect latest versions of modern browsers (Chrome, Firefox, Edge, Safari), and no bugs that relate to browser extensions please
  • We will not tolerate scripting or other automation or brute forcing of intended functionality
  • Apps not listed under Open bounties are generally not eligible for bug bounties. You’ll find more details on scope in individual bounties
  • Bugs that occur as a result of extremely unlikely user interaction will be ignored
  • We will not consider bugs in content/services/products that are not owned/operated by DADI, including our users’ code and third party services operating within our infrastructure
  • Insecure cookie settings for non-sensitive cookies do not qualify
  • Any vulnerabilities that DADI determines to be an accepted risk will not be eligible
  • We have listed the vulnerability classifications we use to organize any submissions made to the Bounty program. Please use this for guidance
  • Any bug submitted by another user will not qualify, nor will those we are already aware of, or any that have been classified as ineligible
  • As always, if you have a question, contact us

Open bounties


DADI API is a high performance RESTful API layer designed in support of API-first development and the principle of COPE.

Because API sits at the heart of the DADI platform, security has always been a high priority.

Rewards range from $200 up to $5,000 and are determined at our discretion based on a number of factors.

You can find the app on GitHub and can find the API documentation on our docs site.


DADI CDN is a JIT asset manipulation and delivery application, providing a complete content distribution solution.

DADI CDN provides content manipulation for many high profile businesses, making security of utmost importance.

Rewards range from $100 up to $2,500 and are determined at our discretion based on a number of factors.

You can find the app on GitHub and can find the CDN documentation on our docs site.


How are bounty payments made?

All DADI bounties are paid via PayPal.

Can I donate my reward to a charity?

Of course. Just choose an established charitable organization and let us know – and (at our discretion) we will also match your donation. Unclaimed rewards will be donated to a charity of our choosing after 12 months.

What if I don’t live in the United Kingdom?

Yes, international residents are eligible.

How about if I’m under 18?

Researchers aged between 13 and 18 years are allowed, but if resident in the UK we will need guardian consent before any payment can be made.

I have not received a response to my submission

Have you waited 24 hours? Checked that spam filters and email in general can sometimes be problematic? If so, get in touch.

How do you calculate the bounty reward?

We will consider how difficult it is to exploit the vulnerability, the likely exposure, plus the percentage of impacted users and platform layers.

What do points make?

Money is one thing, but we also want to make this enjoyable. Every vulnerability discovered on the site will be given a point value and listed on this site. We will then publish researchers with the most points on our leaderboard. Points are calculated using many of the same metrics as for the monetary value, but we will also consider other non-tangible factors, such as the quality of the written submission.

I don’t want my submission published

Don’t worry, we won’t publish anything without your approval. Which reminds us, we will need your Github username as this allows us to link submissions to your Git profile.

Any legal terms of the Bug Bounty program?

By participating in DADI’s Bug Bounty program (the “Program”), you acknowledge that you have read and agree to DADI’s Terms of Service as well as the following: