Platform
Developers
Resources
Documentation
Walkthrough Guides
SDKs and APIs
Integrations
A/B Testing Calculator
How Statsig Works
Blog
Support
Customer Stories
Events
Build vs Buy
Contact Sales
Feature Flags Liberated
Gating features is a core part of the development process. And with Statsig, it's free.
How AI Companies Use Statsig
The best AI companies use Statsig to accelerate growth. Learn how you can do the same.
What is Product Observability?
Product observability means being able to monitor, control, and gain insight into all of your features.
Documentation
Walkthrough Guides
SDKs and APIs
Integrations
A/B Testing Calculator
How Statsig Works
Blog
Support
Customer Stories
Events
Build vs Buy
Contact Sales
Experiments with Generative AI
We built a generative AI app in reactJS using OpenAI’s API and Statsig. Here’s what we learned:
Experimentation Platforms
The decision to build versus buy an experimentation and feature flagging platform is not an easy one.
CUPED Explained
CUPED is an implementation that uses pre-experiment data to explain the variance in the result data.Bug Bounty at Statsig
Where to submit your bug
Send it to bugs@statsig.com. Please use English when submitting.
What to put in your bug report
A good bug report needs to contain enough key information so that we can reliably reproduce the bug ourselves. Our bounty program is designed for software developers and security researchers, so reports should be technically sound. Make sure to include:
- A detailed bug description
- The exact product version and environment you found the bug on
- Sample code (if relevant)
What happens next?
Once we get your report, a member of our team will respond to you as soon as possible. If you submitted the report via email and don’t get a response within a few days, there’s a chance your email has been blocked by a spam filter. Don’t be afraid to resend.
What bugs are eligible for the bounty?
Our primary focus is on high/critical findings that result in unauthorized access to user data. These are eligible for bounties. We don’t prioritize bugs that allow an attacker to bypass limits on free accounts, exceed rate limits or use simple passwords. These are not eligible for a bounty.
Note
To claim the bounty, bugs must be original and previously unreported. If two or more people submit the same bug, the bounty will go to the researcher who files the right amount of details first.
If you disclose the bug publicly before a fix is released or try to exploit it, you won’t be eligible for the bounty. That would be a bit distasteful.
How long does the process take?
Typical time to first response is 1 business day. Typical time to triage is 3 business days. We’ll try to keep you informed about our progress throughout the process.
How much is a bug worth?
If your bug is enough to make our security team’s skin crawl and is accepted as eligible for the bounty, the base payment is $100 per bug.
But if you find a really nasty type, the bounty goes higher. A panel of Statsig experts will consider the criticality of the bug (as well as its neatness) and determine bounty.
We do not accept submissions from the following countries: Syria, North Korea and Crimea.