Platform
Resources
Docs Blog Pricing
Sign In Book a Live Demo

Bug Bounty at Statsig

Secure by design, and practice

Where to submit your bug

Send it to bugs@statsig.com. Please use English when submitting.

What to put in your bug report

A good bug report needs to contain enough key information so that we can reliably reproduce the bug ourselves. Our bounty program is designed for software developers and security researchers, so reports should be technically sound. Make sure to include:

  • A detailed bug description
  • The exact product version and environment you found the bug on
  • Sample code (if relevant)

What happens next?

Once we get your report, a member of our team will respond to you as soon as possible. If you submitted the report via email and don’t get a response within a few days, there’s a chance your email has been blocked by a spam filter. Don’t be afraid to resend.

What bugs are eligible for the bounty?

Our primary focus is on high/critical findings that result in unauthorized access to user data. These are eligible for bounties. We don’t prioritize bugs that allow an attacker to bypass limits on free accounts, exceed rate limits or use simple passwords. These are not eligible for a bounty.

Note

Due to the heavy influx of repeated, unoriginal bug reports, we are not interested in:

  • any of the published checklist of issues from bugcrowd, hackerone and other such online forums
  • rate limits, weak passwords, html injection in email, or similar reports
  • scripts that overload our apis or servers in uninteresting brute-force ways

Thank you for your understanding!

To claim the bounty, bugs must be original and previously unreported. If two or more people submit the same bug, the bounty will go to the researcher who files the right amount of details first.

If you disclose the bug publicly before a fix is released or try to exploit it, you won’t be eligible for the bounty. That would be a bit distasteful.

How long does the process take?

Typical time to first response is 1 business day. Typical time to triage is 3 business days. We’ll try to keep you informed about our progress throughout the process.

How much is a bug worth?

If your bug is enough to make our security team’s skin crawl and is accepted as eligible for the bounty, the base payment is $100 per bug.

But if you find a really nasty type, the bounty goes higher. A panel of Statsig experts will consider the criticality of the bug (as well as its neatness) and determine bounty.

We do not accept submissions from the following countries: Syria, North Korea and Crimea.
We use cookies to ensure you get the best experience on our website.
Privacy Policy