Daytona Launches Bug Bounty Program, Offering Up to $1,000 for Security Vulnerabilities

Daytona has formally integrated a vulnerability disclosure program (VDP) into its core security documentation, establishing a structured channel for external researchers to report security flaws. The program, detailed in a newly updated public `SECURITY.md` file, offers monetary rewards ranging from $100 to $1,000 for valid findings. This move signals a strategic shift towards proactive, crowdsourced security validation, supplementing existing practices like penetration testing.

The program has been officially referenced within Daytona's 'security exhibit,' a formal document that supplements its Terms of Service and Data Processing Agreement. The new subsection is positioned between sections on penetration testing and compliance, completing the public-facing picture of the company's external security validation efforts. The exhibit deliberately defers to the standalone `SECURITY.md` for full program details, including scope, exclusions, safe harbor provisions for researchers, and disclosure timelines, maintaining a formal and audit-defensible tone.

By publishing a reward range and a dedicated reporting email ([email protected]), Daytona is standardizing its engagement with the security research community. This institutionalizes a process that was likely handled ad-hoc before, reducing legal risk for both the company and ethical hackers. The update, verified for accuracy and placement, represents a maturation of Daytona's security posture, aligning it with industry best practices for transparency and collaborative defense.