Select language

Upload Ultimate Login Create Account
English Deutsch Français Español Nederlands Polski Magyar Türkçe Русский 日本語 Bahasa Indonesia ไทย العربية עברית

Bug Bounty Program

Security is our top priority. We reward security researchers who help us identify vulnerabilities and keep DDownload safe for all users.

What we pay

Critical
€1,000 to €5,000
Vulnerabilities that pose an immediate and severe risk to our platform, users or infrastructure.
Examples
  • Remote Code Execution (RCE)
  • SQL Injection with data leak
  • Authentication bypass
  • Payment system manipulation
  • Full account takeover
High
€500 to €1,000
Significant vulnerabilities that can lead to unauthorised access or data exposure.
Examples
  • Stored XSS on critical pages
  • SQL Injection (limited impact)
  • Privilege escalation
  • SSRF with internal network access
  • Critical IDOR vulnerabilities
Medium
€100 to €500
Moderate vulnerabilities with security impact that typically require user interaction.
Examples
  • Reflected XSS
  • CSRF on sensitive actions
  • Minor IDOR issues
  • Open redirect
  • Rate limit bypass

Note: Final reward amounts are at the discretion of our security team, based on exploitability, impact and report quality. Duplicate reports are not eligible for rewards.

What is in scope

In scope

  • ddownload.com and all subdomains
  • File upload / download: processing, storage, delivery
  • Authentication: login, registration, password reset
  • Payment processing: Ultimate purchases and transactions
  • API endpoints: public and authenticated calls
  • Admin panel: only with proof of concept

Out of scope

  • Denial of Service (DoS/DDoS)
  • Social engineering (phishing, vishing)
  • Physical security tests
  • Third-party services and integrations
  • Issues in outdated browsers
  • Self-XSS or issues requiring extensive user interaction
  • Rate limiting on non-critical endpoints

How to submit

1

Discover

Identify a potential security vulnerability within our scope.

2

Document

Create a detailed report with reproduction steps and proof of concept.

3

Submit

Send your report by email to our security team.

4

Get rewarded

After verification you receive your reward and optional public credit.

Response time: We aim to acknowledge all reports within 48 hours and provide a first assessment within 5 business days. Critical vulnerabilities are prioritised.

What we expect

  • Avoid privacy violations, data destruction and service disruptions at all costs.
  • Do not access, modify or delete other users' data.
  • Do not perform attacks that could affect the reliability of our services.
  • Only test against accounts you own or for which you have explicit permission.
  • Do not use automated scanners that generate excessive traffic.
  • Treat vulnerability details confidentially until we have fixed the issue.
  • Submit one vulnerability per report for faster processing.
  • You must be the original discoverer of the vulnerability.

Safe Harbor: We will not take legal action against researchers who follow these guidelines and act in good faith. Security research conducted under this policy is considered authorised testing.

Ready to submit a report?

Send your detailed security report to our security team. We respond within 48 hours.

[email protected]

Please write "Bug Bounty" in the subject line and encrypt sensitive information with our PGP key where possible.

Sign Up
Enter your email to create an account.
Login
Log in to your account
Forgot your password?
Enter your email to reset your password