Bug Bounty Program


The Bug Bounty Program aims to enhance the security of our cloud hosting services by incentivizing security researchers and ethical hackers to report potential security vulnerabilities responsibly. This program encourages the responsible disclosure of such vulnerabilities to help us identify and remediate issues before they can be exploited by malicious actors.


The Bug Bounty Program covers all publicly accessible web applications, APIs, and services owned and operated by CIVO. This includes but is not limited to:

  1. Website and dashboard.
  2. CLI and IaC tools e.g. Terraform.
  3. API endpoints for provisioning and managing cloud resources.
  4. Authentication and authorization mechanisms.
  5. Server and network configurations related to public cloud services.

Out of Scope

The following issues are considered out of scope and should not be tested without explicit authorization from Civo:

  1. Physical attacks against data centers, offices, or employees.
  2. Social engineering or phishing attacks against employees or customers.
  3. Any form of denial-of-service (DoS or DDoS) attacks.
  4. Brute-force attacks or password guessing.
  5. Attacks targeting outdated or unsupported browsers, plugins, or devices.
  6. Vulnerabilities in third-party applications not owned by Civo


Rewards for eligible vulnerability reports will be determined based on the severity and impact of the reported issue. The severity levels and corresponding rewards are as follows:

  • Critical: Up to $500
    • Examples: Remote code execution, authentication bypass leading to unauthorized access, and sensitive data exposure.
  • High: Up to $200
    • Examples: Privilege escalation, and significant security misconfigurations.
  • Medium: Up to $150
    • Examples: Cross-site scripting (XSS), cross-site request forgery (CSRF), and other moderate security issues.
  • Low: Up to $100
    • Examples: Information disclosure with low impact, UI, and UX issues.

The Bug Bounty team will evaluate the severity of each submission and may adjust the reward amount based on factors such as the quality of the report and the potential for exploitation.

Submission Process

To submit a vulnerability report, follow these steps:

  1. Go to civo.com/bug-bounty and fill out the necessary details.
  2. Provide a detailed description of the vulnerability, including the steps to reproduce it and any supporting materials (screenshots, videos, scripts, etc.).
  3. Allow a reasonable amount of time for the Bug Bounty team to review and validate the submission.
  4. Once the submission is reviewed, the Bug Bounty team will contact the researcher to discuss the findings and potential reward.

Legal Safe Harbor:

Civo commits to not pursue legal action against researchers who report security vulnerabilities following the guidelines of this Bug Bounty Program. We request that you do not exploit any security issues you discover, beyond the extent required to demonstrate the vulnerability.

Disclosure Policy:

After receiving and verifying a report, CIVO will work to resolve the issue promptly. We aim to keep researchers informed of the progress during the resolution process.

This Bug Bounty Policy is subject to change without notice. CIVO reserves the right to modify the scope, rewards, and guidelines at any time.

Contact us:

For any inquiries related to the Bug Bounty Program, please contact bugbounty@civo.com By participating in this Bug Bounty Program, you acknowledge that you have read and agree to the terms and conditions outlined in this policy.