Segment is one place to collect customer data and send it to your tools for analytics, marketing automation, and raw data access with SQL. Implement all of your event tracking with Segment’s single API instead of wrangling a new API for every new tool or database. Segment's integrations let you send your data to hundreds of tools and databases.
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.
Area of Focus - $5,000
Segment cares deeply about our customers and their data. Security issues that allow unauthorized access without interaction to another workspace's event data, API keys, passwords, or other data deemed highly sensitive by Segment will be be given a "P0" reward of $5,000.
|Technical severity||Reward range|
|p1 Critical||Starting at: $1,500|
|p2 Severe||$750 - $1,100|
|p3 Moderate||$300 - $500|
|p4 Low||$100 - $100|
Out of scope
Access & Testing
- Sign up for Segment using your @bugcrowdninja.com email addresses
- Use Bugcrowd in your workspace names
- Only test against accounts you have created
- Limit your use of scanner tests based on our technology stack. Our application is primarily powered by Node.js, React, and GraphQL.
To test Segment you'll need to create a variety of data sources/destinations. We would recommend using those that have a bug bounty program such as Intercom, Twilio, Facebook, or Google. Services like Heroku can be valuable for creating resources such as Postgres instances to test our warehouses products.
Segment provides libraries written in various languages to our customers (https://segment.com/docs/sources/). We invite you to review the source code of our Website, Mobile, and Server Libraries, all of which are hosted on Github. Qualifying submissions must have a demonstrable impact and realistic attack vector. Submissions that include a proposed fix will be easier for us to evaluate and reward.
Out of Scope
Please do not submit contact forms, create support tickets, send emails, etc. that will generate work for a human outside of the security team.
Segment uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems.
- Denial of service attacks.
- Lack of rate limiting.
- Brute Forcing Attacks
- CORS or crossdomain.xml issues on api.segment.io without proof-of-concept
Code of Conduct
- Segment expects all security researchers to follow the Bugcrowd Code of Conduct.
- Denial of service, spam, or phishing attacks are considered abusive and out of scope.
- Do not exfiltrate Segment customer or employee data under any circumstance. Please contact us immediately if you think this is possible, or you have done so inadvertently. We will work with you to assess the full impact of the vulnerability and award appropriately.
Segment supports and encourages security research into our services.
To promote this research, we agree that, if a researcher complies with the terms of Segment’s Bug Bounty Program:
- Segment considers access to its systems necessary to your security research to be “authorized” access under the Computer Fraud and Abuse Act.
- Segment agrees not to pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy.
- Segment will waive any DMCA claim against you for circumventing technological measures we have used to protect Segment’s applications and services in scope of the policy.
- Segment waives any restrictions in our applicable Terms of Service that would prohibit authorized security research in compliance with Segment’s Bug Bounty Program, for the limited purpose of your security research under this policy.
Segment connects with many third-party systems and services. Our authorization to you extends only to Segment’s systems and services. Segment, however, cannot authorize research on or access to third-party products that connect with its systems or guarantee they won’t pursue legal action against you. This policy does not authorize access to or waive any claims regarding any systems other than Segment’s own. If a third party initiates a legal action despite your compliance with this bug bounty policy, upon your request, Segment will provide the third party with this policy and a statement that your actions were conducted in compliance with this policy.