Send it to bugs@statsig.com. Please use English when submitting.
A good bug report needs to contain enough key information so that we can reliably reproduce the bug ourselves. Our bounty program is designed for software developers and security researchers, so reports should be technically sound. Make sure to include:
Once we get your report, a member of our team will respond to you as soon as possible. If you submitted the report via email and don’t get a response within a few days, there’s a chance your email has been blocked by a spam filter. Don’t be afraid to resend.
Our primary focus is on high/critical findings that result in unauthorized access to user data. These are eligible for bounties. We don’t prioritize bugs that allow an attacker to bypass limits on free accounts, exceed rate limits or use simple passwords. These are not eligible for a bounty.
Due to the heavy influx of repeated, unoriginal bug reports, we are not interested in:
Thank you for your understanding!
To claim the bounty, bugs must be original and previously unreported. If two or more people submit the same bug, the bounty will go to the researcher who files the right amount of details first.
If you disclose the bug publicly before a fix is released or try to exploit it, you won’t be eligible for the bounty. That would be a bit distasteful.
Typical time to first response is 1 business day. Typical time to triage is 3 business days. We’ll try to keep you informed about our progress throughout the process.
If your bug is enough to make our security team’s skin crawl and is accepted as eligible for the bounty, the base payment is $100 per bug.
But if you find a really nasty type, the bounty goes higher. A panel of Statsig experts will consider the criticality of the bug (as well as its neatness) and determine bounty.
We do not accept submissions from the following countries: Syria, North Korea and Crimea.