Web and Mobile A/B Testing
At Optimizely, security is a key priority. Therefore we invite skilled researchers to participate in our bug bounty program. Below are the 3 focus areas of the program:
Mobile: Optimizely customers embed a small library in their iOS or Android app. This library contains the logic for the experiments.
Editor: Optimizely customers use the editor at Optimizely.com to manage experiments for their website, such as "does the picture of the blue car or the red car get better user engagement?". Experiment results and account management are also done here.
Vulnerability types that qualify for the program include
You may submit other types of vulnerabilities unless they are listed as out of scope.
Please use a valid email address for your test accounts so that we can contact you in case of emergency.
Please share screencasts using a hosted site like Youtube. We will not download or view screencast files from file sharing sites like Dropbox due to the security risk of downloading/opening arbitrary files.
Depending on their impact, not all reported issues may qualify for a monetary reward.
Please refrain from accessing private information (so use test accounts), performing actions that may negatively affect Optimizely users (spam, denial of service), or sending reports from automated tools without verifying them.
The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
Generally non-qualifying Web related bug reports have little or no practical significance to product security. Google Bughunter University has a great writeup of bugs that fall into this category - https://sites.google.com/site/bughunteruniversity/nonvuln
Open for all
2 - 7 days / 99%
Average of all evaluations