Braze Public BB

Braze is a comprehensive customer engagement platform that powers relevant and memorable experiences between consumers and the brands they love.

  • $300 – $5,000 per vulnerability
Submit report

Braze Public Bug Bounty Program Update

Hello Everyone,

The account creation application is now working, so you can resume creating companies. Also the login problems many people were experiencing before should now be fixed as well. If you have any additional problems, please email thomas.devoss@braze.com and cc security@braze.com and let me know what problems you are seeing, so that I can try to get them resolved.

I also have found a bug that prevents the HTML editors from properly displaying the previews when someone uses the https://bug-bounty.braze.com/ URL instead of the https://security-testing-env-dashboard.k8s.test-001.d-usw-2.braze.com/ url. So if you are experiencing the issue where you get a 403 forbidden response in the preview of any of the HTML builders/editors, change the URL from bug-bounty.braze.com to security-testing-env-dashboard.k8s.test-001.d-usw-2.braze.com because this URL works properly, and the other doesn't. I may be removing the bug-bounty.braze.com host from the in-scope assets.

As of right now, there are 0 pending bugs on the Public or Private Programs. So any new submissions right now have a very low likelihood of being a duplicate. (the only chance you have of a duplicate right now is if you find any of the bugs from our pentest that was done last month.) So right now is a great time to start looking for some vulnerabilities.

I am in the process right now of brainstorming some ideas for some special bonus' or promotions to run for the program. So be on the lookout for those as well. Hoping to launch atleast 1 promotion in the next week or two. As a side note: if you have any ideas of potential promotions that would be cool to run, let me know (via the email above, including the cc to security@braze.com and can consider them).

Also remember we run both a Public and Private programs. The Private program has additional scope, and will get first crack at any additional scope/servers/services/applications before they are added to the public program. So deff work on getting invited to the Private Program. Generally speaking, I require researchers to find at least 5-7 valid, none duplicate bugs (for Low/Medium Bugs) on the Public Program before I invite them to the Private Program. However, if you find 1 valid none duplicate CRITICAL severity vulnerability, or 3 valid none duplicate HIGH severity bugs, they will also get you invited to the private program, even if its your only accepted bugs.

As always, we greatly appreciate each and every one of you that are helping to keep Braze and our Users safe. If you have any questions, comments, concerns, Promotion Ideas, or believe you have met the requirements for the Private Program and have not been invited, each out to me via email at thomas.devoss@braze.com and make sure to CC security@braze.com

braze4378692
braze4378692