• $100 – $2,500 per vulnerability
  • Up to $7,000 maximum reward
  • Safe harbor
  • Managed by Bugcrowd

Program stats

225 vulnerabilities rewarded

Validation within 5 days
75% of submissions are accepted or rejected within 5 days

$467.85 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

NOTE: Sign up for Segment using your email addresses, otherwise your accounts might be banned when we notice bad behavior

Segment is one place to collect customer data and send it to your tools for analytics, marketing automation, and raw data access with SQL. Implement all of your event tracking with Segment’s single API instead of wrangling a new API for every new tool or database. Segment's integrations let you send your data to hundreds of tools and databases.

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

Area of Focus - $7,000

Segment cares deeply about our customers and their data. Security issues that allow unauthorized access without interaction to another workspace's event data, API keys, passwords, or other data deemed highly sensitive by Segment will be be given a "P0" reward of $7,000.

Reward range

Last updated

Technical severity Reward range
p1 Critical $2,000 - $2,500
p2 Severe $1,000 - $1,250
p3 Moderate $300 - $600
p4 Low $100 - $100
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Tags Website Testing
  • Website Testing
  • ReactJS
  • nginx API Testing
  • API Testing
  • HTTP
Source code of Website, Mobile, or Server Libraries ( Other
  • nginx
Any host / web property verified to be owned by Segment (domains/IP space/etc.) Website Testing
  • Website Testing

Out of scope

Target name Type Website Testing Website Testing Website Testing

Access & Testing

  • Sign up for Segment using your email addresses
  • Use Bugcrowd in your workspace names
  • Only test against accounts you have created
  • Limit your use of scanner tests based on our technology stack. Our application is primarily powered by Node.js, React, and GraphQL.

To test Segment you'll need to create a variety of data sources/destinations. We would recommend using those that have a bug bounty program such as Intercom, Twilio, Facebook, or Google. Services like Heroku can be valuable for creating resources such as Postgres instances to test our warehouses products.


Segment provides libraries written in various languages to our customers ( We invite you to review the source code of our Website, Mobile, and Server Libraries, all of which are hosted on Github. Qualifying submissions must have a demonstrable impact and realistic attack vector. Submissions that include a proposed fix will be easier for us to evaluate and reward.

Out of Scope

Please do not submit contact forms, create support tickets, send emails, etc. that will generate work for a human outside of the security team.

Segment uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems.

  • Denial of service attacks.
  • Lack of rate limiting.
  • Brute Forcing Attacks
  • CORS or crossdomain.xml issues on without proof-of-concept

Code of Conduct

  • Segment expects all security researchers to follow the Bugcrowd Code of Conduct.
  • Denial of service, spam, or phishing attacks are considered abusive and out of scope.
  • Do not exfiltrate Segment customer or employee data under any circumstance. Please contact us immediately if you think this is possible, or you have done so inadvertently. We will work with you to assess the full impact of the vulnerability and award appropriately.

Safe Harbor

Segment supports and encourages security research into our services.

To promote this research, we agree that, if a researcher complies with the terms of Segment’s Bug Bounty Program:

  • Segment considers access to its systems necessary to your security research to be “authorized” access under the Computer Fraud and Abuse Act.
  • Segment agrees not to pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy.
  • Segment will waive any DMCA claim against you for circumventing technological measures we have used to protect Segment’s applications and services in scope of the policy.
  • Segment waives any restrictions in our applicable Terms of Service that would prohibit authorized security research in compliance with Segment’s Bug Bounty Program, for the limited purpose of your security research under this policy.

Segment connects with many third-party systems and services. Our authorization to you extends only to Segment’s systems and services. Segment, however, cannot authorize research on or access to third-party products that connect with its systems or guarantee they won’t pursue legal action against you. This policy does not authorize access to or waive any claims regarding any systems other than Segment’s own. If a third party initiates a legal action despite your compliance with this bug bounty policy, upon your request, Segment will provide the third party with this policy and a statement that your actions were conducted in compliance with this policy.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.