Bug Bounty Program

At GrowthBook, we take our application’s security seriously and value security researchers' contributions to improving it. If you have discovered a security vulnerability in our service, we appreciate your help in disclosing it to us responsibly. Below, find the rules that govern our bug bounty program.

How the Program Works

Familiarize yourself with the rules and policies laid out here

Submission

Complete the bug bounty form below to report security vulnerabilities. Only vulnerabilities submitted via this form will be considered for reward.

Timeline

While we strive to meet the following response targets, these are estimates and not guarantees
  • Time to first response (from report submission): 5 business days
  • Time to triage (from report submission): 10 business days
  • Time to bounty (from triage): 20 business days

Rewards

We offer rewards based on our assessed severity of the reported vulnerability. The exact reward amounts are at our discretion and depend on the impact and quality of the report.

Disclosure Policy

Vulnerabilities should not be publicly disclosed or shared until our investigation is complete. We adhere to a coordinated disclosure process:
  1. Researcher submits a report
  2. GrowthBook acknowledges receipt and begins investigationIf validated,
  3. GrowthBook works on a fix
  4. Once fixed, GrowthBook notifies the researcher
  5. After a mutually agreed period, the vulnerability may be publicly disclosed

Program Rules

To ensure a smooth and effective bug bounty program, please adhere to the following rules:
  • Do not impact actual user accounts.
  • No DDoS or other attacks that compromise the service or network for other users.
  • No social engineering.
  • Respect user privacy. Do not access or modify data without explicit permission from the owner.
  • Don’t use scanners or automated tools.
  • Create your own testing account instead of using actual user accounts.

Out-of-Scope Vulnerabilities

The following vulnerabilities and others like them are ineligible for bounties:
  • DNS configuration or related public records
  • Email configuration
  • External auth (anything related to auth.growthbook.io) as it is managed by Auth0
  • Attacks requiring MITM (Man-In-The-Middle) or physical access to a user's device
  • Brute force attacks
  • DNS configuration or related public records
  • Email configuration
  • External auth (anything related to auth.growthbook.io) as it is managed by Auth0
  • Attacks requiring MITM (Man-In-The-Middle) or physical access to a user's device
  • Brute force attacks
  • Clickjacking
  • Content spoofing and text injection
  • CSRF (Cross-Site Request Forgery) vulnerabilities
  • Denial of Service attacks leading to resource exhaustion
  • Email SPF, DKIM, and DMARC records
  • Invite enumeration
  • Missing HttpOnly/Secure cookie flags
  • Open CORS headers
  • Reports from scanners and automated tools
  • Self-exploitation (e.g., token reuse, console scripting)
  • Social engineering or phishing attacks
  • Previously known vulnerable libraries without a working proof of concept
  • Missing best practices in SSL/TLS configuration
  • Vulnerabilities only affecting users of uncommon or out-of-date browsers
  • Tabnabbing
  • Verification email inbox spam
  • Password reset link not expiring if email address is changed
  • Vulnerability scans or dependency scans on open source repositories
Additionally, only bugs that pose a valid security vulnerability are eligible. Standard bugs that do not impact the system security are not eligible for a reward. Examples of standard bugs include but are not limited to:
  • Functional issues
  • Performance issues
  • UI/UX issues
Standard bugs should be reported as a GitHub Issue or submitted as a pull request.

Additional Guidelines

  • In case of duplicate reports, the reward will go to the first researcher who submitted a valid report. Subsequent reports of the same vulnerability will be acknowledged but not rewarded.
  • GrowthBook considers all activities conducted in a manner consistent with this policy to be authorized conduct. We will not initiate legal action against you for security research activities that adhere to this policy.
  • By participating in this program, you agree to comply with all applicable laws. GrowthBook reserves the right to modify the terms of this program at any time.

Rewards

We offer rewards based on our assessed severity of the reported vulnerability. The exact reward amounts are at our discretion and depend on the impact and quality of the report.

Disclosure Policy

Vulnerabilities should not be publicly disclosed or shared until our investigation is complete. We adhere to a coordinated disclosure process:
  1. Researcher submits a report
  2. GrowthBook acknowledges receipt and begins investigationIf validated,
  3. GrowthBook works on a fix
  4. Once fixed, GrowthBook notifies the researcher
  5. After a mutually agreed period, the vulnerability may be publicly disclosed
Report a Vulnerability

Enjoy unlimited experiments for unlimited traffic. All for free.

Book a DemoCreate Free Account
No credit card required