Segment is one place to collect customer data and send it to your tools for analytics, marketing automation, and raw data access with SQL. Implement all of your event tracking with Segment’s single API instead of wrangling a new API for every new tool or database. Segment's integrations let you send your data to hundreds of tools and databases.
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.
Segment cares deeply about our customers and their data. Any security issues that allow unauthorized access to other customer’s event data, API keys, passwords, or other data deemed highly sensitive by Segment will be be given a "P0" reward of $5,000.
Last updated 22 May 2019 18:02:30 UTC
Technical severity | Reward range
p1 Critical | Starting at: $1,500
p2 Severe | $750 - $1,100
p3 Moderate | $300 - $500
p4 Low | $100 - $100
P5 submissions do not receive any rewards for this program.
Target name | Type
app.segment.com | Website
api.segment.io | API
Source code of Website, Mobile, or Server Libraries
(https://segment.com/docs/sources/) | Other
Any host / web property verified to be owned by Segment (domains/IP
space/etc.) | Website
Target name | Type
community.segment.com | Website
segment.com/contact | Website
segment.com/jobs | Website
To test Segment you'll need to create a variety of data sources/destinations. We would recommend using those that have a bug bounty program such as Intercom, Twilio, Facebook, or Google. Services like Heroku can be valuable for creating resources such as Postgres instances to test our warehouses products.
Segment provides libraries written in various languages to our customers (https://segment.com/docs/sources/). We invite you to review the source code of our Website, Mobile, and Server Libraries, all of which are hosted on Github. Qualifying submissions must have a demonstrable impact and realistic attack vector. Submissions that include a proposed fix will be easier for us to evaluate and reward.
Please do not submit contact forms, create support tickets, send emails, etc. that will generate work for a human outside of the security team.
Segment uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems.
There are a number of
VRT->Broken Access Control known issues related plan
tier (access to premium features) as well as permission enforcement within a
given workspace. These will likely marked as a duplicate.
Segment supports and encourages security research into our services.
To promote this research, we agree that, if a researcher complies with the terms of Segment’s Bug Bounty Program:
Segment connects with many third-party systems and services. Our authorization to you extends only to Segment’s systems and services. Segment, however, cannot authorize research on or access to third-party products that connect with its systems or guarantee they won’t pursue legal action against you. This policy does not authorize access to or waive any claims regarding any systems other than Segment’s own. If a third party initiates a legal action despite your compliance with this bug bounty policy, upon your request, Segment will provide the third party with this policy and a statement that your actions were conducted in compliance with this policy.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Contact us if you want more information.