Bug Bounty Program

Reward Tiers

Rewards are determined based on the severity and impact of the vulnerability. All submissions are evaluated by our security team.

Scope

The following assets and vulnerability types are within the scope of our Bug Bounty Program:

In Scope

• duckier.com — Main website and all subdomains
• VPN connection functionality — Server connections, protocols, and encryption
• User authentication & authorization — Login, registration, password reset
• Payment processing — Premium purchases and transactions
• API endpoints — Public and authenticated API calls
• Admin panel — Administrative interfaces (with proof of concept only)

Out of Scope

• Denial of Service (DoS/DDoS) attacks
• Social engineering attacks (phishing, vishing, etc.)
• Physical security testing
• Third-party services and integrations
• Issues in outdated browsers or platforms
• Spam or content injection without security impact
• Self-XSS or issues requiring significant user interaction
• Rate limiting on non-critical endpoints

Submission Process

Rules & Guidelines

• Make every effort to avoid privacy violations, data destruction, and service interruption
• Do not access, modify, or delete data belonging to other users
• Do not perform any attacks that could harm the reliability or integrity of our services
• Only test against accounts you own or have explicit permission to test
• Do not use automated scanners or tools that generate excessive traffic
• Report vulnerabilities as soon as possible after discovery
• Keep vulnerability details confidential until we've resolved the issue
• Do not publicly disclose the vulnerability without our written consent
• Submit one vulnerability per report for faster processing
• Provide detailed steps to reproduce the vulnerability
• Include proof of concept code, screenshots, or videos when applicable
• You must be the original discoverer of the vulnerability