Does GrowthBook Have a Bug Bounty Program?

At GrowthBook, we take our application’s security seriously and value contributions to improving it. We do mandatory code reviews for every PR, do security reviews, and routinely do penetration testing. If you have discovered a security vulnerability in our service, we appreciate your help in disclosing it to us responsibly.

However, due to the high volume of very low quality and incorrect vulnerability reports, GrowthBook no longer offers a paid Bug Bounty program. If you find something particularly interesting, we're happy to send you some GrowthBook merch.

Disclosing Vulnerabilities

If you've found something, you can report it below.
Report a Vulnerability

FAQ

Does GrowthBook offer rewards?

We do not offer a financial reward for disclosed bugs, however, we will send you some merch or shout you out on our github if you find something interesting.

What is your disclosure policy?

Vulnerabilities should not be publicly disclosed or shared until our investigation is complete. We adhere to a coordinated disclosure process:
  1. Researcher submits a report
  2. GrowthBook acknowledges receipt and begins investigationIf validated,
  3. GrowthBook works on a fix
  4. Once fixed, GrowthBook notifies the researcher
  5. After a mutually agreed period, the vulnerability may be publicly disclosed

If we do want to disclose a bug, what are the rules?

If you are still interested in submitting a bug, please do not run automated scripts. You can be sure that the scripts have been run hundreds of times before. Please do not run automated pen tests. Any pen testing must not effect our users experience.
  • Do not impact actual user accounts.
  • No DDoS or other attacks that compromise the service or network for other users.
  • No social engineering.
  • Respect user privacy. Do not access or modify data without explicit permission from the owner.
  • Don’t use scanners or automated tools.
  • Create your own testing account instead of using actual user accounts.
  • Do not pen test our live chats

What might be out-of-scope?

The following vulnerabilities are not really of interest to us
  • DNS configuration or related public records
  • Email configuration
  • External auth (anything related to auth.growthbook.io) as it is managed by Auth0
  • Attacks requiring MITM (Man-In-The-Middle) or physical access to a user's device
  • Brute force attacks
  • DNS configuration or related public records
  • Email configuration
  • External auth (anything related to auth.growthbook.io) as it is managed by Auth0
  • Attacks requiring MITM (Man-In-The-Middle) or physical access to a user's device
  • Brute force attacks
  • Clickjacking
  • Content spoofing and text injection
  • CSRF (Cross-Site Request Forgery) vulnerabilities
  • Denial of Service attacks leading to resource exhaustion
  • Email SPF, DKIM, and DMARC records
  • Invite enumeration
  • Missing HttpOnly/Secure cookie flags
  • Open CORS headers
  • Reports from scanners and automated tools
  • Self-exploitation (e.g., token reuse, console scripting)
  • Social engineering or phishing attacks
  • Previously known vulnerable libraries without a working proof of concept
  • Missing best practices in SSL/TLS configuration
  • Vulnerabilities only affecting users of uncommon or out-of-date browsers
  • Tabnabbing
  • Verification email inbox spam
  • Password reset link not expiring if email address is changed
  • Vulnerability scans or dependency scans on open source repositories
  • Rate limiting
Additionally, only bugs that pose a valid security vulnerability are eligible. Standard bugs that do not impact the system security are not eligible for a reward. Examples of standard bugs include but are not limited to:
  • Functional issues
  • Performance issues
  • UI/UX issues
Standard bugs should be reported as a GitHub Issue or submitted as a pull request.

Enjoy unlimited experiments for unlimited traffic. All for free.

Book a DemoCreate Free Account
No credit card required