Banner object (1)

Hack and Take the Cash !

745 bounties in database
31/01/2019
Segment logo

Reward

100 $ 

Segment

Segment is one place to collect customer data and send it to your tools for analytics, marketing automation, and raw data access with SQL. Implement all of your event tracking with Segment’s single API instead of wrangling a new API for every new tool or database. Segment's integrations let you send your data to hundreds of tools and databases.

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

Area of Focus - $5,000

Segment cares deeply about our customers and their data. Any security issues that allow unauthorized access to other customer’s event data, API keys, passwords, or other data deemed highly sensitive by Segment will be be given a "P0" reward of $5,000.

Reward Range

Last updated 26 Nov 2018 21:49:55 UTC

Technical severity | Reward range
---|---
p1 Critical | Starting at: $1,500
p2 Severe | $750 - $1,100
p3 Moderate | $300 - $500
p4 Low | $100 - $100

P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
app.segment.com | Website
api.segment.io | API
Source code of Website, Mobile, or Server Libraries (https://segment.com/docs/sources/) | Other
Any host / web property verified to be owned by Segment (domains/IP space/etc.) | Website

Out of scope

Target name | Type
---|---
community.segment.com | Website
segment.com/contact | Website
segment.com/jobs | Website

Access & Testing

  • Sign up for Segment using your @bugcrowdninja.com email addresses
  • Use Bugcrowd in your workspace names
  • Only test against accounts you have created
  • Limit your use of scanner tests based on our technology stack. Our application is primarily powered by Node.js, React, and GraphQL.

To test Segment you'll need to create a variety of data sources/destinations. We would recommend using those that have a bug bounty program such as Intercom, Twilio, Facebook, or Google. Services like Heroku can be valuable for creating resources such as Postgres instances to test our warehouses products.

Libraries

Segment provides libraries written in various languages to our customers (https://segment.com/docs/sources/). We invite you to review the source code of our Website, Mobile, and Server Libraries, all of which are hosted on Github. Qualifying submissions must have a demonstrable impact and realistic attack vector. Submissions that include a proposed fix will be easier for us to evaluate and reward.

Out of Scope

Please do not submit contact forms, create support tickets, send emails, etc. that will generate work for a human outside of the security team.

Segment uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems.

  • Presence or absence of DMARC/SPF records.
  • Denial of service attacks.
  • Lack of rate limiting.
  • Brute Forcing Attacks

Known Issues

There are a number of VRT->Broken Access Control known issues related plan tier (access to premium features) as well as permission enforcement within a given workspace. These will likely marked as a duplicate.

Code of Conduct

  • Segment expects all security researchers to follow the Bugcrowd Code of Conduct.
  • Denial of service, spam, or phishing attacks are considered abusive and out of scope.
  • Do not exfiltrate Segment customer or employee data under any circumstance. Please contact us immediately if you think this is possible, or you have done so inadvertently. We will work with you to assess the full impact of the vulnerability and award appropriately.

Safe Harbor

Segment supports and encourages security research into our services.

To promote this research, we agree that, if a researcher complies with the terms of Segment’s Bug Bounty Program:

  • Segment considers access to its systems necessary to your security research to be “authorized” access under the Computer Fraud and Abuse Act.
  • Segment agrees not to pursue a civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy.
  • Segment will waive any DMCA claim against you for circumventing technological measures we have used to protect Segment’s applications and services in scope of the policy.
  • Segment waives any restrictions in our applicable Terms of Service that would prohibit authorized security research in compliance with Segment’s Bug Bounty Program, for the limited purpose of your security research under this policy.

Segment connects with many third-party systems and services. Our authorization to you extends only to Segment’s systems and services. Segment, however, cannot authorize research on or access to third-party products that connect with its systems or guarantee they won’t pursue legal action against you. This policy does not authorize access to or waive any claims regarding any systems other than Segment’s own. If a third party initiates a legal action despite your compliance with this bug bounty policy, upon your request, Segment will provide the third party with this policy and a statement that your actions were conducted in compliance with this policy.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019