Help CenterDuckDice Bug Bounty Program
At DuckDice, we take the security of our platform seriously.
We invite all ethical hackers (white hats) to participate in our Bug Bounty Program, helping us detect vulnerabilities and make our systems even safer.
How to Participate
All security researchers must follow these principles when submitting reports:
-
Provide a detailed and clear description of the vulnerability.
-
Collaborate with our technical team to clarify or expand on the findings.
-
Give DuckDice a reasonable amount of time to resolve the issue before disclosing it publicly.
-
Do not leak, misuse, or destroy any user or internal data.
-
Do not defraud users or DuckDice during the testing process.
Rewards for Reporting
DuckDice offers five levels of reward based on the severity of the discovered vulnerability.
Severity Levels and Rewards
| Level | Description | Reward |
|---|---|---|
| 1 | Minor issue, not exploitable but previously unknown | $10 USD |
| 2 | Low-severity vulnerability with limited potential impact | $50 USD |
| 3 | Medium-severity, exploitable under specific conditions | $100 USD |
| 4 | High-severity, significant threat to platform or users | $300 USD |
| 5 | Critical vulnerability, e.g., potential to steal funds/data | $1000 USD |
Eligibility Criteria
We reserve the right to determine the severity level and whether a vulnerability has already been reported.
Examples of Qualifying Vulnerabilities
These types of issues may qualify for a reward:
-
Cross-Site Scripting (XSS)
-
Cross-Site Request Forgery (CSRF)
-
Authentication bypass
-
Privilege escalation
-
Clickjacking
-
Remote code execution
-
Unauthorized access to user information
Excluded Reports
The following do not qualify for rewards:
-
Vulnerabilities on third-party hosted services
-
Spam-related issues
-
Bugs in third-party software or browser extensions
How to Submit a Vulnerability Report
To report a bug or vulnerability, please email:
Include the following in your email:
-
A clear description of the issue
-
The potential impact on DuckDice or its users
-
Detailed steps to reproduce the issue
-
A proof of concept (PoC), if possible
FAQ – Bug Bounty Questions
Q: What types of vulnerabilities are eligible for rewards?
A: Vulnerabilities that could result in financial loss, data leakage, or security breaches (such as XSS, CSRF, RCE, or privilege escalation) are usually considered eligible.
Q: How will I know if my report is accepted?
A: Our technical team will review your submission and follow up with you via email. If your report is valid and not previously reported, you'll be notified of the severity level and applicable reward.
Q: How long does it take to receive a reward?
A: Rewards are issued after the vulnerability has been verified and resolved. Most payments are processed within 7 business days after confirmation.
Q: Can I publish my findings?
A: Yes, but only after DuckDice has fixed the vulnerability and you’ve received explicit permission from our team. We appreciate responsible disclosure.