Bug Bounty Program

Cubbit partners with Unguess Security for our bug bounty program aimed at encouraging and motivating ethical hackers to help us maintain the security of our geo-distributed cloud storage services Cubbit DS3 by reporting any vulnerabilities responsibly and effectively.

GDPR compliant icon

What is in-scope:

In-scope activities include analysis of any vulnerabilities on the web interface of Cubbit DS3 object storage application, including the exposed REST API.

Endpoints list:

  • iam.cubbit.eu 
  • authentication.cubbit.eu
  • claw.cubbit.eu
  • ds3.cubbit.eu
  • keyvault.cubbit.eu
  • s3.cubbit.eu
  • storage.cubbit.eu
  • console.cubbit.eu
  • hive.cubbit.eu
  • swarm-gateway.cubbit.eu

We reserve the right to update this list from time to time without notice.

What is out-of-scope:

  • Vulnerabilities related to other services:
    - web.cubbit.io
    - help.cubbit.io
    - docs.cubbit.io
    - status.cubbit.io
    - Cubbit Cell
    - cubbit.io and landing pages
  • Social engineering / phishing / tab nabbing, employees and other users or testers.
  • Load testing, DoS, DDoS or vulnerabilities with heavy automated tools that can slow down the site.
  • Excessive user creation on the network.
  • content security policies (CSPs) on the S3 web client.


We offer up to 3,000.00€ per vulnerability depending on category and severity. Out-of-scope vulnerability reports will not be eligible for recognition.