Cobalt bug bounty programCobalt bug bounty programCobalt bug bounty program

Square thumb optimizely a1557cacbd8d944d987edff776d625b939b003fd82ae69f9395f673155e4a760

Optimizely

Web and Mobile A/B Testing

#CC168

Description

At Optimizely, security is a key priority. Therefore we invite skilled researchers to participate in our bug bounty program. Below are the 3 focus areas of the program:

Web: Optimizely customers embed a small Javascript snippet into their web pages. This javascript is served from a CDN. The javascript contains the logic for the experiments. This is the most sensitive part of our product and we are particularly interested in vulnerabilities related to this snippet.

Mobile: Optimizely customers embed a small library in their iOS or Android app. This library contains the logic for the experiments.

Editor: Optimizely customers use the editor at Optimizely.com to manage experiments for their website, such as "does the picture of the blue car or the red car get better user engagement?". Experiment results and account management are also done here.

Vulnerability types that qualify for the program include

  • Cross-Site Scripting
  • SQL Injection
  • Remote Code Execution
  • Cross-Site Request Forgery
  • Directory Traversal
  • Information Disclosure
  • Content Spoofing
  • Unauthorized Access
  • Privilege Escalation
  • Provisioning Errors

You may submit other types of vulnerabilities unless they are listed as out of scope.

Please use a valid email address for your test accounts so that we can contact you in case of emergency.

Please share screencasts using a hosted site like Youtube. We will not download or view screencast files from file sharing sites like Dropbox due to the security risk of downloading/opening arbitrary files.

Out of scope

Depending on their impact, not all reported issues may qualify for a monetary reward.

Please refrain from accessing private information (so use test accounts), performing actions that may negatively affect Optimizely users (spam, denial of service), or sending reports from automated tools without verifying them.

The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):

  • Rendering HTML content without security impact. Rendering HTML content must demonstrate javascript execution or some other malicious action.
  • Triggering emails to be sent to another users account
  • Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
  • Logout CSRF
  • Pages and content cached after logout
  • Password complexity requirements
  • User account enumeration
  • Missing http security headers which do not lead to a vulnerability (you must deliver a proof of concept that leverages their absence)
  • Clickjacking on static websites
  • Use of a known-vulnerable library (without evidence of exploitability)
  • Issues related to software or protocols not under Optimizely control
  • Vulnerabilities in third-party applications or services which use or integrate with Optimizely
    • help.optimizely.com - Zendesk, report bugs here
    • community.optimizely.com - Lithium, report bugs here
    • go.optimizely.com - Marketo, report bugs here
    • learn.optimizely.com - Docebo, report bugs here
    • pages.optimizely.com - Marketo, report bugs here
    • playground.optimizely.com - an internal-only site
  • Vulnerabilities in third-party applications that are integrated with the Optimizely product via developer platform components, such as OAuth and Canvas
  • Dangling DNS Records - Issues related to stale CNAME records or any other DNS record
  • Reports from automated tools or scans without an exploitation proof of concept
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering of Optimizely staff or contractors or physical attempts against property
  • Presence of autocomplete attribute on web forms
  • Missing cookie flags on non-sensitive cookies
  • Reports of SSL best practices or insecure ciphers (unless you have a working proof of concept -- and not just a report from a scanner)
  • Reports relating to email spoofing (inadequate SPF, DKIM and DMARC configurations)
  • Reports relating to HSTS - we can't enable it yet but plan to
  • Reports related to shared computer accounts

Generally non-qualifying Web related bug reports have little or no practical significance to product security. Google Bughunter University has a great writeup of bugs that fall into this category - https://sites.google.com/site/bughunteruniversity/nonvuln

Platform

Python, Javascript, Google App Engine

The terms for running and engaging in a security program always apply.

Specs

  • Rewards

    High: $5,000
    Medium: $500
    Low: $50

  • Disclosure Rules

    Responsible disclosure

  • Access Level

    Open for all

  • Response Time / Rate

    2 - 7 days / 99%

  • Researcher Feedback

    Average of all evaluations

Latest announcements

No announcements yet

Today

Small thumb yasins
yasinS submitted a report

Earlier this month

Small thumb hax 9f9e074f3f17621da003cfff734fd09aa93576ac97b2beda18419a370a858d3c
Hax submitted a report
Gravatar
mert submitted a report
Optimizely closed a report from AwaisNoshahiOfficial
Small thumb awaisnoshahiofficial
AwaisNoshahiOfficial submitted a report
Optimizely closed a report from Vishnu_dfx
Small thumb vishnu dfx 16388ff71669cd8e3f64b30e2d4a062d856c2250a27fd44b31ec3fb4d871fce0
Vishnu_dfx submitted a report
Optimizely closed a report from nilesh_codex
Optimizely closed a report from nilesh_codex
Optimizely closed a report from nilesh_codex
Optimizely rewarded codecancare with a bounty and 3.4 Rep
Optimizely closed a report from nilesh_codex

February

Small thumb codecancare
codecancare submitted a report
Optimizely closed a report from nilesh_codex
Optimizely closed a report from nilesh_codex
Optimizely closed a report from nilesh_codex
Gravatar
x1t3m666 submitted a report
Small thumb nilesh codex 076e10c0c3108e0861fa8a55bf3137232bfc8baa707e3e406acdc0ae5fe1959b
nilesh_codex submitted a report
Small thumb nilesh codex 076e10c0c3108e0861fa8a55bf3137232bfc8baa707e3e406acdc0ae5fe1959b
nilesh_codex submitted a report
Small thumb nilesh codex 076e10c0c3108e0861fa8a55bf3137232bfc8baa707e3e406acdc0ae5fe1959b
nilesh_codex submitted a report