Bug Bounty Program
Help us keep ddownload.com secure
Earn rewards by reporting security vulnerabilities
At ddownload.com, security is our top priority. We believe in working with the security community to identify and resolve vulnerabilities. Our Bug Bounty Program rewards security researchers who help us maintain the highest security standards for our platform and users.
Reward Tiers
Rewards are determined based on the severity and impact of the vulnerability. All submissions are evaluated by our security team.
Critical
€1,000 - €5,000
Vulnerabilities that pose immediate and severe risk to our platform, users, or infrastructure.
Examples:
- Remote Code Execution (RCE)
- SQL Injection leading to data breach
- Authentication bypass
- Payment system manipulation
- Arbitrary file upload leading to RCE
- Full account takeover
High
€500 - €1,000
Significant vulnerabilities that could lead to unauthorized access or data exposure.
Examples:
- Stored XSS on critical pages
- SQL Injection (limited impact)
- Privilege escalation
- SSRF with internal network access
- Sensitive data exposure (PII)
- Critical IDOR vulnerabilities
Medium
€100 - €500
Moderate vulnerabilities with potential security impact that require user interaction.
Examples:
- Reflected XSS
- CSRF on sensitive actions
- Minor IDOR issues
- Open redirect to authentication pages
- Information disclosure (non-sensitive)
- Rate limiting bypass
Note: Final reward amounts are at the discretion of our security team based on exploitability, impact, and quality of the report. Duplicate reports are not eligible for rewards.
Scope
The following assets and vulnerability types are within the scope of our Bug Bounty Program:
In Scope
- ddownload.com - Main website and all subdomains
- File upload/download functionality - File handling, storage, and delivery
- User authentication & authorization - Login, registration, password reset
- Payment processing - Premium purchases and transactions
- API endpoints - Public and authenticated API calls
- Admin panel - Administrative interfaces (with proof of concept only)
Out of Scope
- Denial of Service (DoS/DDoS) attacks
- Social engineering attacks (phishing, vishing, etc.)
- Physical security testing
- Third-party services and integrations
- Issues in outdated browsers or platforms
- Spam or content injection without security impact
- Self-XSS or issues requiring significant user interaction
- Rate limiting on non-critical endpoints
Submission Process
1
Discover
Identify a potential security vulnerability within our scope
2
Document
Create a detailed report with steps to reproduce and proof of concept
3
Submit
Send your report to our security team via email
4
Receive Reward
Get acknowledged and receive your bounty after verification
Response Time: We aim to acknowledge all reports within 48 hours and provide an initial assessment within 5 business days. Critical vulnerabilities will be prioritized.
Rules & Guidelines
- Make every effort to avoid privacy violations, data destruction, and service interruption
- Do not access, modify, or delete data belonging to other users
- Do not perform any attacks that could harm the reliability or integrity of our services
- Only test against accounts you own or have explicit permission to test
- Do not use automated scanners or tools that generate excessive traffic
- Report vulnerabilities as soon as possible after discovery
- Keep vulnerability details confidential until we've resolved the issue
- Do not publicly disclose the vulnerability without our written consent
- Submit one vulnerability per report for faster processing
- Provide detailed steps to reproduce the vulnerability
- Include proof of concept code, screenshots, or videos when applicable
- You must be the original discoverer of the vulnerability
Safe Harbor: We will not pursue legal action against researchers who comply with these guidelines and act in good faith. We consider security research conducted under this policy to be authorized testing.
