Cobalt bug bounty programCobalt bug bounty programCobalt bug bounty program

Square thumb optimizely a1557cacbd8d944d987edff776d625b939b003fd82ae69f9395f673155e4a760

Optimizely

Web and Mobile A/B Testing

#CC168

Description

At Optimizely, security is a key priority. Therefore we invite skilled researchers to participate in our bug bounty program. Below are the 3 focus areas of the program:

Web: Optimizely customers embed a small Javascript snippet into their web pages. This javascript is served from a CDN. The javascript contains the logic for the experiments. This is the most sensitive part of our product and we are particularly interested in vulnerabilities related to this snippet.

Mobile: Optimizely customers embed a small library in their iOS or Android app. This library contains the logic for the experiments.

Editor: Optimizely customers use the editor at Optimizely.com to manage experiments for their website, such as "does the picture of the blue car or the red car get better user engagement?". Experiment results and account management are also done here.

Vulnerability types that qualify for the program include

  • Cross-Site Scripting
  • SQL Injection
  • Remote Code Execution
  • Cross-Site Request Forgery
  • Directory Traversal
  • Information Disclosure
  • Content Spoofing
  • Unauthorized Access
  • Privilege Escalation
  • Provisioning Errors

You may submit other types of vulnerabilities unless they are listed as out of scope.

Please use a valid email address for your test accounts so that we can contact you in case of emergency.

Please share screencasts using a hosted site like Youtube. We will not download or view screencast files from file sharing sites like Dropbox due to the security risk of downloading/opening arbitrary files.

Out of scope

Depending on their impact, not all reported issues may qualify for a monetary reward.

Please refrain from accessing private information (so use test accounts), performing actions that may negatively affect Optimizely users (spam, denial of service), or sending reports from automated tools without verifying them.

The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):

  • Rendering HTML content without security impact. Rendering HTML content must demonstrate javascript execution or some other malicious action.
  • Triggering emails to be sent to another users account
  • Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
  • Logout CSRF
  • Pages and content cached after logout
  • Password complexity requirements
  • User account enumeration
  • Missing http security headers which do not lead to a vulnerability (you must deliver a proof of concept that leverages their absence)
  • Clickjacking on static websites
  • Use of a known-vulnerable library (without evidence of exploitability)
  • Issues related to software or protocols not under Optimizely control
  • Vulnerabilities in third-party applications or services which use or integrate with Optimizely
    • help.optimizely.com - Zendesk, report bugs here
    • community.optimizely.com - Lithium, report bugs here
    • go.optimizely.com - Marketo, report bugs here
    • learn.optimizely.com - Docebo, report bugs here
    • pages.optimizely.com - Marketo, report bugs here
    • playground.optimizely.com - an internal-only site
  • Vulnerabilities in third-party applications that are integrated with the Optimizely product via developer platform components, such as OAuth and Canvas
  • Dangling DNS Records - Issues related to stale CNAME records or any other DNS record
  • Reports from automated tools or scans without an exploitation proof of concept
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering of Optimizely staff or contractors or physical attempts against property
  • Presence of autocomplete attribute on web forms
  • Missing cookie flags on non-sensitive cookies
  • Reports of SSL best practices or insecure ciphers (unless you have a working proof of concept -- and not just a report from a scanner)
  • Reports relating to email spoofing (inadequate SPF, DKIM and DMARC configurations)
  • Reports relating to HSTS - we can't enable it yet but plan to
  • Reports related to shared computer accounts

Generally non-qualifying Web related bug reports have little or no practical significance to product security. Google Bughunter University has a great writeup of bugs that fall into this category - https://sites.google.com/site/bughunteruniversity/nonvuln

Platform

Python, Javascript, Google App Engine

The terms for running and engaging in a security program always apply.

Specs

  • Rewards

    High: $5,000
    Medium: $500
    Low: $50

  • Disclosure Rules

    Responsible disclosure

  • Access Level

    Open for all

  • Response Time / Rate

    2 - 7 days / 99%

  • Researcher Feedback

    Average of all evaluations

Latest announcements

No announcements yet

Earlier this month

Gravatar
0xOrgin submitted a report
Gravatar
0xOrgin submitted a report
Gravatar
hkln1 submitted a report
Optimizely closed a report from Deepak_Noobie
Gravatar
hkln1 submitted a report
Optimizely rewarded adeelimtiaz90 with a bounty and 6.8 Rep
Gravatar
Deepak_Noobie submitted a report
Optimizely rewarded exploitprotocol with a bounty and 3.2 Rep
Optimizely rewarded exploitprotocol with a bounty and 3.2 Rep
Small thumb exploitprotocol
exploitprotocol submitted a report
Small thumb exploitprotocol
exploitprotocol submitted a report
Optimizely closed a report from adeelimtiaz90
Optimizely closed a report from mahtiniko

December (2016)

Optimizely closed a report from subsolo
Small thumb adeelimtiaz90 95af7b0a5a8ea264229d64eeb120a856639220ec5e8f8dfafa632cdde422bf82
adeelimtiaz90 submitted a report
Optimizely closed a report from Joseph96
Optimizely closed a report from noman181
Small thumb noman181
noman181 submitted a report
Small thumb joseph96
Joseph96 submitted a report
Optimizely closed a report from Joseph96