Optimizely

  • $1,000 – $5,000 per vulnerability
  • Managed by Bugcrowd

Program stats

31 vulnerabilities rewarded

Validation within 1 day
75% of submissions are accepted or rejected within 1 day

$1,133.33 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Optimizely is an experience optimization platform enabling A/B and multivariate testing for users to enhance their websites & mobile apps.


This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.


Rewards:

Priority Reward
P1 $2,000 - $5,000
P2 $1,000 - $2,000
P3 Kudos
P4 Kudos

Targets

In scope

Any domain/property of Optimizely not listed in the targets section is out of scope. This includes any/all subdomains not listed above.


Target Information

The Optimizely platform technology provides A/B testing tools, in which two versions of a web page can be compared for performance, and multivariate testing. Optimizely also enables personalization, which may be used for making data-driven decisions.

Access

Researchers are encouraged to sign up for their own developer account here: https://www.optimizely.com/?modal=devsignup - using their @bugcrowdninja.com email address on the main Optimizely site. For more info regarding @bugcrowdninja email addresses, see here.

Focus Areas

At Optimizely, security is a key priority. Therefore we invite skilled researchers to participate in our bug bounty program. Below are the 3 focus areas of the program:

  • Web: Optimizely customers embed a small Javascript snippet into their web pages. This javascript is served from a CDN. The javascript contains the logic for the experiments. This is the most sensitive part of our product and we are particularly interested in vulnerabilities related to this snippet.

  • SDK: Optimizely customers embed a small library in their applications. This library contains the logic for the experiments.

  • Editor: Optimizely customers use the editor at app.optimizely.com to manage experiments for their website, such as "does the picture of the blue car or the red car get better user engagement?". Experiment results and account management are also done here.


Vulnerability types that qualify for the program include

  • Cross-Site Scripting
  • SQL Injection
  • Remote Code Execution
  • Cross-Site Request Forgery
  • Directory Traversal
  • Information Disclosure
  • Content Spoofing
  • Unauthorized Access
  • Privilege Escalation
  • Provisioning Errors

You may submit other types of vulnerabilities unless they are listed as out of scope (refer to the VRT for ratings, etc).

Please share screencasts using a hosted site like a password protected Vimeo, etc (please don't use anything that doesn't at least offer password protection to view/access). We will not download or view screencast files from file sharing sites like Dropbox due to the security risk of downloading/opening arbitrary files.


Out-of-Scope

Depending on their impact, not all reported issues may qualify for a monetary reward.
Please refrain from accessing private information (so use test accounts), performing actions that may negatively affect Optimizely users (spam, denial of service), or sending reports from automated tools without verifying them.

The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):

  • Rendering HTML content without security impact. Rendering HTML content must demonstrate javascript execution or some other malicious action.
  • Triggering emails to be sent to another users account
  • Pages and content cached after logout
  • Password complexity requirements
  • User or account ID enumeration
  • Issues related to software or protocols not under Optimizely control
  • Vulnerabilities in third-party applications or services which use or integrate with Optimizely
    • help.optimizely.com - Zendesk, report bugs here
    • community.optimizely.com - Lithium, report bugs here
    • blog.optimizely.com / www.optimizely.com/blog - Wordpress, report bugs here
    • playground.optimizely.com - an internal-only site
  • Vulnerabilities in third-party applications that are integrated with the Optimizely product via developer platform components, such as OAuth and Canvas
  • Dangling DNS Records - Issues related to stale CNAME records or any other DNS record
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering of Optimizely staff or contractors or physical attempts against property
  • Reports relating to email spoofing (inadequate SPF, DKIM and DMARC configurations)
  • Reports relating to HSTS - we can't enable it yet but plan to
  • Reports related to shared computer accounts

Generally non-qualifying Web related bug reports have little or no practical significance to product security. Google Bughunter University has a great writeup of bugs that fall into this category - https://sites.google.com/site/bughunteruniversity/nonvuln

Program Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.