GoDaddy
GoDaddy Responsible Disclosure Policy and Bug Bounty Program

Last Revised: 26 June 2015

GoDaddy Responsible Disclosure Policy and Bug Bounty Program

Responsible Disclosure Policy:

GoDaddy encourages the responsible disclosure of security vulnerabilities in our services or on our website. In order to facilitate the responsible disclosure of security vulnerabilities, we agree that if, in our sole discretion, we conclude that a disclosure meets all of the guidelines of the GoDaddy Bug Bounty Program, GoDaddy will not bring any private or criminal legal action against the disclosing party.

Bug Bounty Program

GoDaddy offers monetary bounties for the responsible disclosure of certain qualifying security vulnerabilities. Our Bug Bounty Program works as follows

Services In Scope:

Only the www.godaddy.com and sso.godaddy.com web services are within scope for purposes of the GoDaddy Bug Bounty Program.

Qualifying Vulnerabilities:

GoDaddy will accept a report of any vulnerability that substantially affects the confidentiality or integrity of any eligible GoDaddy service. Eligible vulnerabilities include, but are not limited to:

  • Cross Site Scripting(XSS)

  • Authentication and Authorization Flaws

  • Cross Site Request Forgery(CSRF)

  • Remote Code Execution

  • SQL Injection

  • Directory Traversal

  • Click-jacking

  • Privilege Escalation 

Non-Qualifying Vulnerabilities:

Any domain not contained within www.godaddy.com or sso.godaddy.com is out of scope for the purposes of the Bug Bounty Program, as is all hosted customer content and third-party programs and plug-ins.

The following actions do not qualify for the Bug Bounty Program and should not be tested by researchers participating in the Program:

  • DoS, brute force, user enumeration or DDoS attacks

  • Physical attacks

  • Phishing attacks

  • Any bug that relies on Social engineering

  • CRIME/BEAST attacks

  • Logout CSRF

  • Banner or version disclosures

  • Missing SPF records

  • Directory listing (unless sensitive data can be found)

  • Blackhat SEO techniques

  • Any bug that relies upon an outdated browser

GoDaddy will not accept reports from automated vulnerability scanners.

Bounties:

All bounties are awarded at the discretion of the GoDaddy Bug Bounty Team, based on the severity of the reported vulnerability. Where an award is made, the minimum amount of the bounty will be Fifty Dollars ($50.00). Only one (1) bounty will be awarded per security bug. The awards will be made to the first researcher to responsibly disclose a particular bug.

Investigating and Reporting:

The security researcher submitting a vulnerability must thoroughly vet and confirm the vulnerability prior to submission. All submissions must include the following:

  1. Steps to reproduce the vulnerability; and

  2. A clear description of any accounts used in your report and any relationships between them.

To report a vulnerability, please follow the process described in this article in the GoDaddy Help Center.

Suggestions for Good Reports:

  1. The more detailed your steps for reproducing the bug, the better. This should include any pages that you visited, user IDs, links clicked, etc.

  2. Videos and images are always useful, but are even more useful if accompanied by a description.

  3. Exploit code that consistently works can allow us to verify your vulnerability more quickly.

  4. Remember – details, details, details!

Confidentiality:

Any information that you collect about GoDaddy, GoDaddy employees, or GoDaddy customers (“Confidential Information”) through the Bug Bounty Program must be kept confidential and may only be used in connection with the Program. You may disclose vulnerabilities only after proper remediation has occurred and you may not disclose Confidential Information without GoDaddy’s prior written consent. Any disclosure of Confidential Information outside of this requirement will result in immediate removal from the Program.

Legal:

By participating in GoDaddy’s Bug Bounty Program, you acknowledge that you have read and agree to GoDaddy’s Universal Terms of Service Agreement and Privacy Policy.

Your testing must not violate any law, disrupt services, or compromise any data that is not your own.

You are solely responsible for any applicable taxes or withholdings arising from or related to your participation in the GoDaddy Bug Bounty Program, including any rewards that are paid.

GoDaddy may use a third-party service provider to manage its Bug Bounty Program. If so, the provider’s terms and conditions shall apply.

Bug bounties will not be awarded to individuals or entities that are on U.S. sanctions lists, or that are located in countries or regions on U.S. sanctions lists.

The decision as to whether or not to pay a reward is entirely at the discretion of GoDaddy.

This is a discretionary rewards program. The program may be canceled at any time.


Revised: 26/06/15
Copyright © 2015 GoDaddy.com, LLC All Rights Reserved.