Optimizely is an experience optimization platform enabling A/B and multivariate testing for users to enhance their websites & mobile apps.
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.
|P1||$2,000 - $5,000|
|P2||$1,000 - $2,000|
Any domain/property of Optimizely not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
The Optimizely platform technology provides A/B testing tools, in which two versions of a web page can be compared for performance, and multivariate testing. Optimizely also enables personalization, which may be used for making data-driven decisions.
Researchers are encouraged to sign up for their own developer account here: https://www.optimizely.com/?modal=devsignup - using their @bugcrowdninja.com email address on the main Optimizely site. For more info regarding @bugcrowdninja email addresses, see here.
At Optimizely, security is a key priority. Therefore we invite skilled researchers to participate in our bug bounty program. Below are the 3 focus areas of the program:
SDK: Optimizely customers embed a small library in their applications. This library contains the logic for the experiments.
Editor: Optimizely customers use the editor at app.optimizely.com to manage experiments for their website, such as "does the picture of the blue car or the red car get better user engagement?". Experiment results and account management are also done here.
Vulnerability types that qualify for the program include
- Cross-Site Scripting
- SQL Injection
- Remote Code Execution
- Cross-Site Request Forgery
- Directory Traversal
- Information Disclosure
- Content Spoofing
- Unauthorized Access
- Privilege Escalation
- Provisioning Errors
You may submit other types of vulnerabilities unless they are listed as out of scope (refer to the VRT for ratings, etc).
Please share screencasts using a hosted site like a password protected Vimeo, etc (please don't use anything that doesn't at least offer password protection to view/access). We will not download or view screencast files from file sharing sites like Dropbox due to the security risk of downloading/opening arbitrary files.
Depending on their impact, not all reported issues may qualify for a monetary reward.
Please refrain from accessing private information (so use test accounts), performing actions that may negatively affect Optimizely users (spam, denial of service), or sending reports from automated tools without verifying them.
The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
- Triggering emails to be sent to another users account
- Pages and content cached after logout
- Password complexity requirements
- User or account ID enumeration
- Issues related to software or protocols not under Optimizely control
- Vulnerabilities in third-party applications or services which use or integrate with Optimizely
- Vulnerabilities in third-party applications that are integrated with the Optimizely product via developer platform components, such as OAuth and Canvas
- Dangling DNS Records - Issues related to stale CNAME records or any other DNS record
- Vulnerabilities affecting users of outdated browsers or platforms
- Social engineering of Optimizely staff or contractors or physical attempts against property
- Reports relating to email spoofing (inadequate SPF, DKIM and DMARC configurations)
- Reports relating to HSTS - we can't enable it yet but plan to
- Reports related to shared computer accounts
Generally non-qualifying Web related bug reports have little or no practical significance to product security. Google Bughunter University has a great writeup of bugs that fall into this category - https://sites.google.com/site/bughunteruniversity/nonvuln