• Points – $5,000 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

62 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$500 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Optimizely is an experience optimization platform enabling A/B and multivariate testing for users to enhance their websites & mobile apps.

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

Reward range

Last updated

Technical severity Reward range
p1 Critical $2,000 - $5,000
p2 Severe $1,000 - $2,000
P3 and P4 are only eligible to receive kudos points. P5 submissions do not receive any rewards for this program.


In scope

Target name Type Tags
https://app.optimizely.com/ Website Testing
  • Lodash
  • Newrelic
  • Website Testing
  • jQuery
https://api.optimizely.com/ API Testing
  • API Testing
  • HTTP
https://api.prod.optimizely.com API Testing
  • API Testing
https://cdn.optimizely.com/ Website Testing
  • Website Testing
  • jQuery
https://cdn-pci.optimizely.com/ Website Testing
  • Website Testing
  • jQuery
https://optimizely-edge.com Website Testing
  • Website Testing

Out of scope

Target name Type
https://www.optimizely.com/ Website Testing

Any domain/property of Optimizely not listed in the targets section is out of scope. This includes any/all subdomains not listed above.



Depending on their impact, not all reported issues may qualify for a monetary reward. Please refrain from:

  • Denial of Service (DoS) or performing other actions that may negatively affect Optimizely users (spam)
  • Accessing private information (so use test accounts)
  • Sending reports from automated tools without verifying them

The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):

  • Rendering HTML content without security impact. Rendering HTML content must demonstrate javascript execution or some other malicious action.
  • Triggering emails to be sent to another users account
  • Pages and content cached after logout
  • Password complexity requirements
  • User or account ID enumeration
  • Issues related to software or protocols not under Optimizely control
  • Vulnerabilities in third-party applications or services which use or integrate with Optimizely
    • help.optimizely.com - Mindtouch, report bugs here
    • community.optimizely.com - Lithium, report bugs here
    • blog.optimizely.com / www.optimizely.com/blog - Wordpress, report bugs here
    • playground.optimizely.com - an internal-only site
  • Vulnerabilities in third-party applications that are integrated with the Optimizely product via developer platform components, such as OAuth and Canvas
  • Dangling DNS Records - Issues related to stale CNAME records or any other DNS record
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering of Optimizely staff or contractors or physical attempts against property
  • Reports relating to email spoofing (inadequate SPF, DKIM and DMARC configurations)
  • Reports relating to HSTS - we can't enable it yet but plan to
  • Reports related to shared computer accounts
  • Support system accessed via the 'Provide Feedback' link.

Generally non-qualifying Web related bug reports have little or no practical significance to product security. Google Bughunter University has a great writeup of bugs that fall into this category - https://sites.google.com/site/bughunteruniversity/nonvuln

Target Information

The Optimizely platform technology provides A/B testing tools, in which two versions of a web page can be compared for performance, and multivariate testing. Optimizely also enables personalization, which may be used for making data-driven decisions.


Researchers are encouraged to sign up for their own developer account here: https://www.optimizely.com/developer-signup/ - using their @bugcrowdninja.com email address on the main Optimizely site. For more info regarding @bugcrowdninja email addresses, see here.

Focus Areas

At Optimizely, security is a key priority. Therefore we invite skilled researchers to participate in our bug bounty program. Below are the 3 focus areas of the program:

  • Web: Optimizely customers embed a small Javascript snippet into their web pages. This javascript is served from a CDN. The javascript contains the logic for the experiments. This is the most sensitive part of our product and we are particularly interested in vulnerabilities related to this snippet.

  • SDK: Optimizely customers embed a small library in their applications. This library contains the logic for the experiments.

  • Editor: Optimizely customers use the editor at app.optimizely.com to manage experiments for their website, such as "does the picture of the blue car or the red car get better user engagement?". Experiment results and account management are also done here.


Documentation that has been provided can be found in the program updates section.

Vulnerability types that qualify for the program include

  • Cross-Site Scripting
  • SQL Injection
  • Remote Code Execution
  • Cross-Site Request Forgery
  • Directory Traversal
  • Information Disclosure
  • Content Spoofing
  • Unauthorized Access
  • Privilege Escalation
  • Provisioning Errors

You may submit other types of vulnerabilities unless they are listed as out of scope (refer to the VRT for ratings, etc).

Please share screencasts using a hosted site like a password protected Vimeo, etc (please don't use anything that doesn't at least offer password protection to view/access). We will not download or view screencast files from file sharing sites like Dropbox due to the security risk of downloading/opening arbitrary files.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.