|Scope Type||Scope Name|
Optimizely is an experience optimization platform enabling A/B and multivariate testing for users to enhance their websites & mobile apps.
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.
Last updated 2 Oct 2018 19:12:56 UTC
Technical severity | Reward range
p1 Critical | $2,000 - $5,000
p2 Severe | $1,000 - $2,000
P3 and P4 are only eligible to receive kudos points. P5 submissions do not receive any rewards for this program.
Target name | Type
<https://app.optimizely.com/> | Website
<https://www.optimizely.com/> | Website
<https://api.optimizely.com/> | API
<https://cdn.optimizely.com/> | Website
<https://cdn-pci.optimizely.com/> | Website
Any domain/property of Optimizely not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
Depending on their impact, not all reported issues may qualify for a monetary reward. Please refrain from:
The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
Generally non-qualifying Web related bug reports have little or no practical significance to product security. Google Bughunter University has a great writeup of bugs that fall into this category - https://sites.google.com/site/bughunteruniversity/nonvuln
The Optimizely platform technology provides A/B testing tools, in which two versions of a web page can be compared for performance, and multivariate testing. Optimizely also enables personalization, which may be used for making data-driven decisions.
Researchers are encouraged to sign up for their own developer account here: https://www.optimizely.com/?modal=devsignup - using their @bugcrowdninja.com email address on the main Optimizely site. For more info regarding @bugcrowdninja email addresses, see here.
At Optimizely, security is a key priority. Therefore we invite skilled researchers to participate in our bug bounty program. Below are the 3 focus areas of the program:
SDK: Optimizely customers embed a small library in their applications. This library contains the logic for the experiments.
Editor: Optimizely customers use the editor at app.optimizely.com to manage experiments for their website, such as "does the picture of the blue car or the red car get better user engagement?". Experiment results and account management are also done here.
You may submit other types of vulnerabilities unless they are listed as out of scope (refer to the VRT for ratings, etc).
Please share screencasts using a hosted site like a password protected Vimeo, etc (please don't use anything that doesn't at least offer password protection to view/access). We will not download or view screencast files from file sharing sites like Dropbox due to the security risk of downloading/opening arbitrary files.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.