7,234
Sign In
Book a Demo
Start for Free

GrowthBook vulnerability disclosure process

Use the form to report a vulnerability according to the guidelines below. Please include a clear description of the issue and steps to reproduce it.

Report a Vulnerability

Vulnerability disclosures

GrowthBook takes security seriously. We do mandatory code reviews on every PR, conduct regular security reviews, and run routine penetration testing. If you've found a security vulnerability, we welcome responsible disclosure and will work with you to investigate and resolve it.

Our disclosure process

We follow a coordinated disclosure process:

You submit a report

GrowthBook acknowledges receipt and begins investigation

If validated, we work on a fix

We notify you once the fix is deployed

After a mutually agreed period, you may publicly disclose the vulnerability

Please hold off on public disclosure until our investigation is complete.

Rewards

We don't offer financial rewards, but we'll send you GrowthBook merch or give you a shout-out on GitHub if you find something meaningful.

Responsible testing guidelines

Test only against accounts you own — create a dedicated test account rather than using real user accounts

Avoid automated scanners or scripts

Don't run pen tests that affect other users' experience

No DDoS, social engineering, or access to user data without explicit permission

Don't test our live chat

Out-of-scope vulnerabilities

The following are low-signal and generally won't be investigated:

• DNS configuration or related public records
• Email configuration including SPF, DKIM, and DMARC records
• External auth anything related to auth.growthbook.io managed by Auth0
• Attacks requiring MITM or physical access to a user's device
• Brute force attacks
• Clickjacking
• Content spoofing and text injection
• CSRF vulnerabilities
• Denial of service attacks leading to resource exhaustion
• Invite enumeration
• Missing HttpOnly or Secure cookie flags
• Open CORS headers
• Reports from scanners and automated tools
• Self exploitation such as token reuse or console scripting
• Social engineering or phishing attacks
• Previously known vulnerable libraries without a working proof of concept
• Missing best practices in SSL or TLS configuration
• Vulnerabilities only affecting users of out of date browsers
• Tabnabbing
• Verification email inbox spam
• Password reset links that do not expire after an email address change
• Vulnerability or dependency scans on open source repositories
• Rate limiting

Standard bugs (functional, performance, UI/UX) should be filed as a GitHub issue or submitted as a pull request.

Ready to ship faster?

No credit card required. Start with feature flags, experimentation, and product analytics—free.

Get Started
Book a Demo