Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
Optimizely logo
Hall of Fame


In Scope

Scope Type Scope Name


Optimizely is an experience optimization platform enabling A/B and multivariate testing for users to enhance their websites & mobile apps.

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

Reward Range

Last updated 2 Oct 2018 19:12:56 UTC

Technical severity | Reward range
p1 Critical | $2,000 - $5,000
p2 Severe | $1,000 - $2,000

P3 and P4 are only eligible to receive kudos points. P5 submissions do not receive any rewards for this program.


In scope

Target name | Type
<> | Website
<> | Website
<> | API
<> | Website
<> | Website

Any domain/property of Optimizely not listed in the targets section is out of scope. This includes any/all subdomains not listed above.


Depending on their impact, not all reported issues may qualify for a monetary reward. Please refrain from:

  • Denial of Service (DoS) or performing other actions that may negatively affect Optimizely users (spam)
  • Accessing private information (so use test accounts)
  • Sending reports from automated tools without verifying them

The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):

  • Rendering HTML content without security impact. Rendering HTML content must demonstrate javascript execution or some other malicious action.
  • Triggering emails to be sent to another users account
  • Pages and content cached after logout
  • Password complexity requirements
  • User or account ID enumeration
  • Issues related to software or protocols not under Optimizely control
  • Vulnerabilities in third-party applications or services which use or integrate with Optimizely
    • - Mindtouch, report bugs here
    • - Lithium, report bugs here
    • / - Wordpress, report bugs here
    • - an internal-only site
  • Vulnerabilities in third-party applications that are integrated with the Optimizely product via developer platform components, such as OAuth and Canvas
  • Dangling DNS Records - Issues related to stale CNAME records or any other DNS record
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering of Optimizely staff or contractors or physical attempts against property
  • Reports relating to email spoofing (inadequate SPF, DKIM and DMARC configurations)
  • Reports relating to HSTS - we can't enable it yet but plan to
  • Reports related to shared computer accounts
  • Support system accessed via the 'Provide Feedback' link.

Generally non-qualifying Web related bug reports have little or no practical significance to product security. Google Bughunter University has a great writeup of bugs that fall into this category -

Target Information

The Optimizely platform technology provides A/B testing tools, in which two versions of a web page can be compared for performance, and multivariate testing. Optimizely also enables personalization, which may be used for making data-driven decisions.


Researchers are encouraged to sign up for their own developer account here: - using their email address on the main Optimizely site. For more info regarding @bugcrowdninja email addresses, see here.

Focus Areas

At Optimizely, security is a key priority. Therefore we invite skilled researchers to participate in our bug bounty program. Below are the 3 focus areas of the program:

  • Web: Optimizely customers embed a small Javascript snippet into their web pages. This javascript is served from a CDN. The javascript contains the logic for the experiments. This is the most sensitive part of our product and we are particularly interested in vulnerabilities related to this snippet.

  • SDK: Optimizely customers embed a small library in their applications. This library contains the logic for the experiments.

  • Editor: Optimizely customers use the editor at to manage experiments for their website, such as "does the picture of the blue car or the red car get better user engagement?". Experiment results and account management are also done here.

Vulnerability types that qualify for the program include

  • Cross-Site Scripting
  • SQL Injection
  • Remote Code Execution
  • Cross-Site Request Forgery
  • Directory Traversal
  • Information Disclosure
  • Content Spoofing
  • Unauthorized Access
  • Privilege Escalation
  • Provisioning Errors

You may submit other types of vulnerabilities unless they are listed as out of scope (refer to the VRT for ratings, etc).

Please share screencasts using a hosted site like a password protected Vimeo, etc (please don't use anything that doesn't at least offer password protection to view/access). We will not download or view screencast files from file sharing sites like Dropbox due to the security risk of downloading/opening arbitrary files.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

FireBounty © 2015-2019

Legal notices