Braze, Inc. Bug Bounty Program
Introduction
Braze is looking forward to working with the researcher community to help keep our users and their data safe.
Program Highlights
- Gold Standard Safe Harbor – Adheres to Gold Standard Safe Harbor
- Coordinated Vulnerability Disclosure – Undeclared
- Top Response Efficiency – This program's response efficiency is above 90%
- Managed by HackerOne – Collaboration Enabled, Includes Retesting
Response Times
- Average time to first response: 3 hours
- Average time to triage: 21 hours
- Average time to bounty: 2 weeks, 4 days
- Average time from submission to bounty: 2 weeks, 4 days
- Average time to resolution: 1 week, 5 days
Response Targets
| Stage | Target (business days) |
|---|
| First response | 2 |
| Time to triage | 2 |
| Time to bounty | 90 |
| Time to resolution | Varies by severity |
Rewards Summary
Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). These are general guidelines, and reward decisions are up to the discretion of Braze.
| Severity | Bounty Range |
|---|
| Low | $100–$500 |
| Medium | $750–$1,200 |
| High | $1,500–$2,500 |
| Critical | $4,000–$5,000 |
Eligibility Guidelines
- Be at least 18 years old and not a Braze employee, contractor, or vendor.
- Use one HackerOne profile (duplicate accounts = program ban).
- Not reside in a country subject to comprehensive U.S. sanctions.
- Follow all program rules & HackerOne's Code of Conduct.
- Stop testing and report immediately if you encounter customer/employee data, pre-release content, or other confidential information.
Quick Summary
- Test only the three bug-bounty-.braze-dev.com hosts listed below — all other Braze domains are out of scope
- No automated scanners, DoS, or large-scale discovery scans
- Use one test-account pattern: h1-username[+N]@wearehackerone.com
- Never contact Braze staff, customers, or vendors
- Questions about scope → [email protected]
- All Tags-related findings are temporarily out of scope
- CORS Reports on the domain https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com will not be accepted, as this is explicitly meant to have an open CORS policy. Any reports on this will be closed as Not Applicable.
Account Setup & Test Plan
Register your primary test account as on the signup page:
https://bug-bounty.k8s.tools-001.d-use-1.braze.com/
This registration site is not in scope for testing.
Extra users: append +1, +2, … (e.g. alice+1). Confirmation arrives at your @wearehackerone.com email alias.
Use headers:
| Identifier | Format |
|---|
| Your Username | X-Bug-Bounty: HackerOne- |
| Tool Identifier | X-Bug-Bounty: |
- Do not submit Dashboard forms that reach Braze Support or other internal teams.
- Keep request rates under 100 r/s — this is a shared staging cluster.
In-Scope Assets
⚠ Links inside these hosts may point to production. Do not follow or test them.
Rules of Engagement
- No automated scanners (e.g., Nuclei) or bulk discovery scans.
- No social engineering or contact with Braze employees, customers, or vendors.
- No DoS / DDoS / stress testing.
- Test only with accounts you own; do not test on production sites.
- Submit one vulnerability per report unless chaining is needed to show impact.
- Stored XSS must execute on an in-scope domain and access that domain's DOM/cookies.
- Access-control reports must include the exact roles/permissions of every account used.
- Rate-limit bypass reports must demonstrate security impact, not just traffic volume.
Enforcement
Any violation of the Rules of Engagement—especially testing *outside the three bug-bounty .braze-dev.com hosts will result in immediate removal from the Braze program and loss of future eligibility.
Scope Exclusions
Ongoing Exclusions
- All Access Control issues related to permissions are out of scope as of Feb 6, 2026. An announcement will be made when this comes back in-scope.
- Tags feature – any vulnerability involving creation, deletion, or update of Tags is out of scope until systemic issues are resolved (we'll announce when they return).
- Org-local data only – user-data exposure that affects only your own org is out of scope; show cross-org impact to qualify.
- DMARC/SPF issues, localhost / 0.0.0.0 SSRF, cosmetic bugs, and rate-limit findings on this dev cluster.
- Discovery-only results (port scanning, subdomain enumeration, Google dorks, etc.).
- Tests requiring physical device access.
Known Issues (Not Bounty Eligible)
The items below are accepted risk or exist only in the test environment. Reports will be closed duplicate or informative:
- Dashboard breakage via invalid parameters – Reports that only make a dashboard feature fail to load for users in your own org are considered product bugs (effective 15 May 2025). Eligible only if an unauthorized user can trigger it or it disrupts all orgs.
- Cross-Origin Request Trust when uploading users or user profile images.
- CSV injection on user upload.
- Several horizontal IDOR patterns currently under remediation — higher duplicate probability.
- Webhook SSRF reachable only to 0.0.0.0 / other localhost variants.
- Editor XSS – payloads that fire only on the separate editor domain and cannot access the dashboard's DOM/cookies are out of scope. Stored XSS must fire in the dashboard context to be eligible.
- Disclosure of Internal Groups/Test Users (this is just test data).
Documentation
Thank you for helping keep Braze and our users safe!
