[{"id":3772153,"new_policy":"**Quick summary**\n=====================\n* Test **only** the three *bug-bounty-*.braze-dev.com hosts listed below — **all other Braze domains are out of scope**  \n* No automated scanners, DoS, or large-scale discovery scans  \n* Use **one** test-account pattern: `h1-username[+N]@wearehackerone.com`  \n* Never contact Braze staff, customers, or vendors  \n* Questions about scope → security@braze.com  \n* All Tags-related findings are temporarily out of scope  \n* CORS Reports on the domain https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com will not be accepted, as this is explicitly ment to have an open CORS policy. Any reports on this will be closed as Not Applicable.\n\n** All SSRF vulnerabilities are currently out of scope while we work through the existing que and work on comprehensive fixes. Any SSRF that has been submitted prior to Monday April 6, 2026 will be validated, any net-new SSRF reports will be closed. An announcement will be made when SSRF is back in scope.\n\n---\n\n1 Program Overview\n--------------------------\n* Braze welcomes security researchers to help protect our customers and platform.  \n* This policy explains the rules of engagement, eligible targets, and reporting expectations.\n\n## Response Targets\n| Stage | Target (business days) |\n|-------|------------------------|\n| First response | 2 |\n| Time to triage | 2 |\n| Time to bounty | 90 |\n| Time to resolution | Varies by severity | \n\n---\n\n2 Eligibility Guidelines\n--------------------------\n* Be at least **18 years old** and **not** a Braze employee, contractor, or vendor.  \n* Use **one** HackerOne profile (duplicate accounts = program ban).  \n* Not reside in a country subject to comprehensive U.S. sanctions.  \n* Follow all program rules \u0026 HackerOne's Code of Conduct.  \n* Stop testing and report immediately if you encounter customer/employee data, pre-release content, or other confidential information.\n\n---\n\n3 Account Setup \u0026 Test Plan\n--------------------------\n1. **Register** your primary test account as ``\u003ch1-username\u003e`` on the signup page:  \n   \u003chttps://bug-bounty.k8s.tools-001.d-use-1.braze.com/\u003e  \n   *This registration site is **not** in scope for testing.*  \n   Extra users: append `+1`, `+2`, … (e.g. `alice+1`). Confirmation arrives at your @wearehackerone.com email alias.  \n2. **Use headers:**\n\n    | Identifier | Format |\n    |-----------------|-------------------------------------------|\n    | Your Username | `X-Bug-Bounty: HackerOne-\u003cusername\u003e` |\n    | Tool Identifier | `X-Bug-Bounty: \u003ctoolname\u003e` |\n\n3. **Do not** submit Dashboard forms that reach Braze Support or other internal teams.  \n4. Keep request rates under **100 r/s** — this is a shared staging cluster.\n\n---\n\n4 In-Scope Assets\n--------------------------\n| Host | Purpose |\n|------|---------|\n| `https://bug-bounty-rest.k8s.tools-001.d-use-1.braze-dev.com` | REST API |\n| `https://bug-bounty-dashboard.k8s.tools-001.d-use-1.braze-dev.com` | Web UI |\n| `https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com` | GraphQL / misc API |\n\n==⚠ Links inside these hosts may point to production. Do *not*  follow or test them.==\n\n---\n\n5 Rules of Engagement\n--------------------------\n* **No automated scanners** (e.g., Nuclei) or bulk discovery scans.  \n* **No social engineering** or contact with Braze employees, customers, or vendors.  \n* **No DoS / DDoS / stress testing.**  \n* Test only with accounts you own; do not test on production sites.  \n* Submit one vulnerability per report unless chaining is needed to show impact.  \n* Stored XSS must execute on an in-scope domain **and** access that domain's DOM/cookies.  \n* Access-control reports must include the exact roles/permissions of every account used.  \n* Rate-limit bypass reports must demonstrate security impact, not just traffic volume. \n\n***⚠️ Enforcement***\n* Any violation of the Rules of Engagement—especially testing **outside the three bug-bounty \\*.braze-dev.com hosts** will result in **immediate removal from the Braze program and loss of future eligibility**.\n\n---\n\n6 Ongoing Exclusions\n--------------------------\n* All Access Control issues related to permissions are out of scope as of Feb 6, 2026. An announcement will be made when this comes back in-scope.\n* **Tags feature** – any vulnerability involving creation, deletion, or update of Tags is out of scope until systemic issues are resolved (we'll announce when they return).  \n* Org-local data only – user-data exposure that affects **only your own org** is out of scope; show cross-org impact to qualify.  \n* DMARC/SPF issues, localhost / `0.0.0.0` SSRF, cosmetic bugs, and rate-limit findings on this dev cluster.  \n* Discovery-only results (port scanning, subdomain enumeration, Google dorks, etc.).  \n* Tests requiring physical device access.\n\n---\n\n7 Known Issues (not bounty eligible)\n--------------------------\nThe items below are accepted risk or exist only in the test environment. Reports will be closed **duplicate** or **informative**:\n\n* **Dashboard breakage via invalid parameters** – Reports that only make a dashboard feature fail to load for users in your own org are considered product bugs (effective 15 May 2025). Eligible only if an unauthorized user can trigger it **or** it disrupts all orgs.  \n* Cross-Origin Request Trust when uploading users or user profile images.  \n* CSV injection on user upload.  \n* Several horizontal IDOR patterns currently under remediation — higher duplicate probability.  \n* Webhook SSRF reachable only to `0.0.0.0` / other localhost variants.  \n* Editor XSS – payloads that fire only on the separate editor domain and cannot access the dashboard's DOM/cookies are out of scope. Stored XSS must fire in the dashboard context to be eligible.  \n* Disclosure of Internal Groups/Test Users (this is just test data).\n\n---\n\n8 Documentation\n--------------------------\n* **User Docs** – \u003chttps://www.braze.com/docs/\u003e  \n* **Role Management** – \u003chttps://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\u003e  \n* **API Docs** – \u003chttps://www.braze.com/docs/api/basics/\u003e\n\n---\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-06T13:28:18.262Z"},{"id":3769347,"new_policy":"**Quick summary**\n=====================\n* Test **only** the three *bug-bounty-*.braze-dev.com hosts listed below — **all other Braze domains are out of scope**  \n* No automated scanners, DoS, or large-scale discovery scans  \n* Use **one** test-account pattern: `h1-username[+N]@wearehackerone.com`  \n* Never contact Braze staff, customers, or vendors  \n* Questions about scope → security@braze.com  \n* All Tags-related findings are temporarily out of scope  \n* CORS Reports on the domain https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com will not be accepted, as this is explicitly ment to have an open CORS policy. Any reports on this will be closed as Not Applicable.\n\n---\n\n1 Program Overview\n--------------------------\n* Braze welcomes security researchers to help protect our customers and platform.  \n* This policy explains the rules of engagement, eligible targets, and reporting expectations.\n\n## Response Targets\n| Stage | Target (business days) |\n|-------|------------------------|\n| First response | 2 |\n| Time to triage | 2 |\n| Time to bounty | 90 |\n| Time to resolution | Varies by severity | \n\n---\n\n2 Eligibility Guidelines\n--------------------------\n* Be at least **18 years old** and **not** a Braze employee, contractor, or vendor.  \n* Use **one** HackerOne profile (duplicate accounts = program ban).  \n* Not reside in a country subject to comprehensive U.S. sanctions.  \n* Follow all program rules \u0026 HackerOne's Code of Conduct.  \n* Stop testing and report immediately if you encounter customer/employee data, pre-release content, or other confidential information.\n\n---\n\n3 Account Setup \u0026 Test Plan\n--------------------------\n1. **Register** your primary test account as ``\u003ch1-username\u003e`` on the signup page:  \n   \u003chttps://bug-bounty.k8s.tools-001.d-use-1.braze.com/\u003e  \n   *This registration site is **not** in scope for testing.*  \n   Extra users: append `+1`, `+2`, … (e.g. `alice+1`). Confirmation arrives at your @wearehackerone.com email alias.  \n2. **Use headers:**\n\n    | Identifier | Format |\n    |-----------------|-------------------------------------------|\n    | Your Username | `X-Bug-Bounty: HackerOne-\u003cusername\u003e` |\n    | Tool Identifier | `X-Bug-Bounty: \u003ctoolname\u003e` |\n\n3. **Do not** submit Dashboard forms that reach Braze Support or other internal teams.  \n4. Keep request rates under **100 r/s** — this is a shared staging cluster.\n\n---\n\n4 In-Scope Assets\n--------------------------\n| Host | Purpose |\n|------|---------|\n| `https://bug-bounty-rest.k8s.tools-001.d-use-1.braze-dev.com` | REST API |\n| `https://bug-bounty-dashboard.k8s.tools-001.d-use-1.braze-dev.com` | Web UI |\n| `https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com` | GraphQL / misc API |\n\n==⚠ Links inside these hosts may point to production. Do *not*  follow or test them.==\n\n---\n\n5 Rules of Engagement\n--------------------------\n* **No automated scanners** (e.g., Nuclei) or bulk discovery scans.  \n* **No social engineering** or contact with Braze employees, customers, or vendors.  \n* **No DoS / DDoS / stress testing.**  \n* Test only with accounts you own; do not test on production sites.  \n* Submit one vulnerability per report unless chaining is needed to show impact.  \n* Stored XSS must execute on an in-scope domain **and** access that domain's DOM/cookies.  \n* Access-control reports must include the exact roles/permissions of every account used.  \n* Rate-limit bypass reports must demonstrate security impact, not just traffic volume. \n\n***⚠️ Enforcement***\n* Any violation of the Rules of Engagement—especially testing **outside the three bug-bounty \\*.braze-dev.com hosts** will result in **immediate removal from the Braze program and loss of future eligibility**.\n\n---\n\n6 Ongoing Exclusions\n--------------------------\n* All Access Control issues related to permissions are out of scope as of Feb 6, 2026. An announcement will be made when this comes back in-scope.\n* **Tags feature** – any vulnerability involving creation, deletion, or update of Tags is out of scope until systemic issues are resolved (we'll announce when they return).  \n* Org-local data only – user-data exposure that affects **only your own org** is out of scope; show cross-org impact to qualify.  \n* DMARC/SPF issues, localhost / `0.0.0.0` SSRF, cosmetic bugs, and rate-limit findings on this dev cluster.  \n* Discovery-only results (port scanning, subdomain enumeration, Google dorks, etc.).  \n* Tests requiring physical device access.\n\n---\n\n7 Known Issues (not bounty eligible)\n--------------------------\nThe items below are accepted risk or exist only in the test environment. Reports will be closed **duplicate** or **informative**:\n\n* **Dashboard breakage via invalid parameters** – Reports that only make a dashboard feature fail to load for users in your own org are considered product bugs (effective 15 May 2025). Eligible only if an unauthorized user can trigger it **or** it disrupts all orgs.  \n* Cross-Origin Request Trust when uploading users or user profile images.  \n* CSV injection on user upload.  \n* Several horizontal IDOR patterns currently under remediation — higher duplicate probability.  \n* Webhook SSRF reachable only to `0.0.0.0` / other localhost variants.  \n* Editor XSS – payloads that fire only on the separate editor domain and cannot access the dashboard's DOM/cookies are out of scope. Stored XSS must fire in the dashboard context to be eligible.  \n* Disclosure of Internal Groups/Test Users (this is just test data).\n\n---\n\n8 Documentation\n--------------------------\n* **User Docs** – \u003chttps://www.braze.com/docs/\u003e  \n* **Role Management** – \u003chttps://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\u003e  \n* **API Docs** – \u003chttps://www.braze.com/docs/api/basics/\u003e\n\n---\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-06T17:09:25.116Z"},{"id":3759671,"new_policy":"**Quick summary**\n=====================\n* Test **only** the three *bug-bounty-*.braze-dev.com hosts listed below — **all other Braze domains are out of scope**  \n* No automated scanners, DoS, or large-scale discovery scans  \n* Use **one** test-account pattern: `h1-username[+N]@wearehackerone.com`  \n* Never contact Braze staff, customers, or vendors  \n* Questions about scope → security@braze.com  \n* All Tags-related findings are temporarily out of scope  \n* CORS Reports on the domain https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com will not be accepted, as this is explicitly ment to have an open CORS policy. Any reports on this will be closed as Not Applicable.\n\n---\n\n1 Program Overview\n--------------------------\n* Braze welcomes security researchers to help protect our customers and platform.  \n* This policy explains the rules of engagement, eligible targets, and reporting expectations.\n\n## Response Targets\n| Stage | Target (business days) |\n|-------|------------------------|\n| First response | 2 |\n| Time to triage | 2 |\n| Time to bounty | 90 |\n| Time to resolution | Varies by severity | \n\n---\n\n2 Eligibility Guidelines\n--------------------------\n* Be at least **18 years old** and **not** a Braze employee, contractor, or vendor.  \n* Use **one** HackerOne profile (duplicate accounts = program ban).  \n* Not reside in a country subject to comprehensive U.S. sanctions.  \n* Follow all program rules \u0026 HackerOne's Code of Conduct.  \n* Stop testing and report immediately if you encounter customer/employee data, pre-release content, or other confidential information.\n\n---\n\n3 Account Setup \u0026 Test Plan\n--------------------------\n1. **Register** your primary test account as ``\u003ch1-username\u003e`` on the signup page:  \n   \u003chttps://bug-bounty.k8s.tools-001.d-use-1.braze.com/\u003e  \n   *This registration site is **not** in scope for testing.*  \n   Extra users: append `+1`, `+2`, … (e.g. `alice+1`). Confirmation arrives at your @wearehackerone.com email alias.  \n2. **Use headers:**\n\n    | Identifier | Format |\n    |-----------------|-------------------------------------------|\n    | Your Username | `X-Bug-Bounty: HackerOne-\u003cusername\u003e` |\n    | Tool Identifier | `X-Bug-Bounty: \u003ctoolname\u003e` |\n\n3. **Do not** submit Dashboard forms that reach Braze Support or other internal teams.  \n4. Keep request rates under **100 r/s** — this is a shared staging cluster.\n\n---\n\n4 In-Scope Assets\n--------------------------\n| Host | Purpose |\n|------|---------|\n| `https://bug-bounty-rest.k8s.tools-001.d-use-1.braze-dev.com` | REST API |\n| `https://bug-bounty-dashboard.k8s.tools-001.d-use-1.braze-dev.com` | Web UI |\n| `https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com` | GraphQL / misc API |\n\n==⚠ Links inside these hosts may point to production. Do *not*  follow or test them.==\n\n---\n\n5 Rules of Engagement\n--------------------------\n* **No automated scanners** (e.g., Nuclei) or bulk discovery scans.  \n* **No social engineering** or contact with Braze employees, customers, or vendors.  \n* **No DoS / DDoS / stress testing.**  \n* Test only with accounts you own; do not test on production sites.  \n* Submit one vulnerability per report unless chaining is needed to show impact.  \n* Stored XSS must execute on an in-scope domain **and** access that domain's DOM/cookies.  \n* Access-control reports must include the exact roles/permissions of every account used.  \n* Rate-limit bypass reports must demonstrate security impact, not just traffic volume. \n\n***⚠️ Enforcement***\n* Any violation of the Rules of Engagement—especially testing **outside the three bug-bounty \\*.braze-dev.com hosts** will result in **immediate removal from the Braze program and loss of future eligibility**.\n\n---\n\n6 Ongoing Exclusions\n--------------------------\n* **Tags feature** – any vulnerability involving creation, deletion, or update of Tags is out of scope until systemic issues are resolved (we'll announce when they return).  \n* Org-local data only – user-data exposure that affects **only your own org** is out of scope; show cross-org impact to qualify.  \n* DMARC/SPF issues, localhost / `0.0.0.0` SSRF, cosmetic bugs, and rate-limit findings on this dev cluster.  \n* Discovery-only results (port scanning, subdomain enumeration, Google dorks, etc.).  \n* Tests requiring physical device access.\n\n---\n\n7 Known Issues (not bounty eligible)\n--------------------------\nThe items below are accepted risk or exist only in the test environment. Reports will be closed **duplicate** or **informative**:\n\n* **Dashboard breakage via invalid parameters** – Reports that only make a dashboard feature fail to load for users in your own org are considered product bugs (effective 15 May 2025). Eligible only if an unauthorized user can trigger it **or** it disrupts all orgs.  \n* Cross-Origin Request Trust when uploading users or user profile images.  \n* CSV injection on user upload.  \n* Several horizontal IDOR patterns currently under remediation — higher duplicate probability.  \n* Webhook SSRF reachable only to `0.0.0.0` / other localhost variants.  \n* Editor XSS – payloads that fire only on the separate editor domain and cannot access the dashboard's DOM/cookies are out of scope. Stored XSS must fire in the dashboard context to be eligible.  \n* Disclosure of Internal Groups/Test Users (this is just test data).\n\n---\n\n8 Documentation\n--------------------------\n* **User Docs** – \u003chttps://www.braze.com/docs/\u003e  \n* **Role Management** – \u003chttps://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\u003e  \n* **API Docs** – \u003chttps://www.braze.com/docs/api/basics/\u003e\n\n---\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-22T14:22:51.544Z"},{"id":3759118,"new_policy":"**Quick summary**\n=====================\n* Test **only** the three *bug-bounty-*.braze-dev.com hosts listed below — **all other Braze domains are out of scope**  \n* No automated scanners, DoS, or large-scale discovery scans  \n* Use **one** test-account pattern: `h1-username[+N]@wearehackerone.com`  \n* Never contact Braze staff, customers, or vendors  \n* Questions about scope → security@braze.com  \n* All Tags-related findings are temporarily out of scope  \n\n---\n\n1 Program Overview\n--------------------------\n* Braze welcomes security researchers to help protect our customers and platform.  \n* This policy explains the rules of engagement, eligible targets, and reporting expectations.\n\n## Response Targets\n| Stage | Target (business days) |\n|-------|------------------------|\n| First response | 2 |\n| Time to triage | 2 |\n| Time to bounty | 90 |\n| Time to resolution | Varies by severity | \n\n---\n\n2 Eligibility Guidelines\n--------------------------\n* Be at least **18 years old** and **not** a Braze employee, contractor, or vendor.  \n* Use **one** HackerOne profile (duplicate accounts = program ban).  \n* Not reside in a country subject to comprehensive U.S. sanctions.  \n* Follow all program rules \u0026 HackerOne's Code of Conduct.  \n* Stop testing and report immediately if you encounter customer/employee data, pre-release content, or other confidential information.\n\n---\n\n3 Account Setup \u0026 Test Plan\n--------------------------\n1. **Register** your primary test account as ``\u003ch1-username\u003e`` on the signup page:  \n   \u003chttps://bug-bounty.k8s.tools-001.d-use-1.braze.com/\u003e  \n   *This registration site is **not** in scope for testing.*  \n   Extra users: append `+1`, `+2`, … (e.g. `alice+1`). Confirmation arrives at your @wearehackerone.com email alias.  \n2. **Use headers:**\n\n    | Identifier | Format |\n    |-----------------|-------------------------------------------|\n    | Your Username | `X-Bug-Bounty: HackerOne-\u003cusername\u003e` |\n    | Tool Identifier | `X-Bug-Bounty: \u003ctoolname\u003e` |\n\n3. **Do not** submit Dashboard forms that reach Braze Support or other internal teams.  \n4. Keep request rates under **100 r/s** — this is a shared staging cluster.\n\n---\n\n4 In-Scope Assets\n--------------------------\n| Host | Purpose |\n|------|---------|\n| `https://bug-bounty-rest.k8s.tools-001.d-use-1.braze-dev.com` | REST API |\n| `https://bug-bounty-dashboard.k8s.tools-001.d-use-1.braze-dev.com` | Web UI |\n| `https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com` | GraphQL / misc API |\n\n==⚠ Links inside these hosts may point to production. Do *not*  follow or test them.==\n\n---\n\n5 Rules of Engagement\n--------------------------\n* **No automated scanners** (e.g., Nuclei) or bulk discovery scans.  \n* **No social engineering** or contact with Braze employees, customers, or vendors.  \n* **No DoS / DDoS / stress testing.**  \n* Test only with accounts you own; do not test on production sites.  \n* Submit one vulnerability per report unless chaining is needed to show impact.  \n* Stored XSS must execute on an in-scope domain **and** access that domain's DOM/cookies.  \n* Access-control reports must include the exact roles/permissions of every account used.  \n* Rate-limit bypass reports must demonstrate security impact, not just traffic volume. \n\n***⚠️ Enforcement***\n* Any violation of the Rules of Engagement—especially testing **outside the three bug-bounty \\*.braze-dev.com hosts** will result in **immediate removal from the Braze program and loss of future eligibility**.\n\n---\n\n6 Ongoing Exclusions\n--------------------------\n* **Tags feature** – any vulnerability involving creation, deletion, or update of Tags is out of scope until systemic issues are resolved (we'll announce when they return).  \n* Org-local data only – user-data exposure that affects **only your own org** is out of scope; show cross-org impact to qualify.  \n* DMARC/SPF issues, localhost / `0.0.0.0` SSRF, cosmetic bugs, and rate-limit findings on this dev cluster.  \n* Discovery-only results (port scanning, subdomain enumeration, Google dorks, etc.).  \n* Tests requiring physical device access.\n\n---\n\n7 Known Issues (not bounty eligible)\n--------------------------\nThe items below are accepted risk or exist only in the test environment. Reports will be closed **duplicate** or **informative**:\n\n* **Dashboard breakage via invalid parameters** – Reports that only make a dashboard feature fail to load for users in your own org are considered product bugs (effective 15 May 2025). Eligible only if an unauthorized user can trigger it **or** it disrupts all orgs.  \n* Cross-Origin Request Trust when uploading users or user profile images.  \n* CSV injection on user upload.  \n* Several horizontal IDOR patterns currently under remediation — higher duplicate probability.  \n* Webhook SSRF reachable only to `0.0.0.0` / other localhost variants.  \n* Editor XSS – payloads that fire only on the separate editor domain and cannot access the dashboard's DOM/cookies are out of scope. Stored XSS must fire in the dashboard context to be eligible.  \n* Disclosure of Internal Groups/Test Users (this is just test data).\n\n---\n\n8 Documentation\n--------------------------\n* **User Docs** – \u003chttps://www.braze.com/docs/\u003e  \n* **Role Management** – \u003chttps://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\u003e  \n* **API Docs** – \u003chttps://www.braze.com/docs/api/basics/\u003e\n\n---\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-16T00:49:57.941Z"},{"id":3759117,"new_policy":"**Quick summary**\n=====================\n* Test **only** the three *bug-bounty-*.braze-dev.com hosts listed below — **all other Braze domains are out of scope**  \n* No automated scanners, DoS, or large-scale discovery scans  \n* Use **one** test-account pattern: `h1-username[+N]@wearehackerone.com`  \n* Never contact Braze staff, customers, or vendors  \n* Questions about scope → security@braze.com  \n* All Tags-related findings are temporarily out of scope  \n\n---\n\n1 Program Overview\n--------------------------\n* Braze welcomes security researchers to help protect our customers and platform.  \n* This policy explains the rules of engagement, eligible targets, and reporting expectations.\n\n## Response Targets\n| Stage | Target (business days) |\n|-------|------------------------|\n| First response | 2 |\n| Time to triage | 2 |\n| Time to bounty | 90 |\n| Time to resolution | Varies by severity | \n\n---\n\n2 Eligibility Guidelines\n--------------------------\n* Be at least **18 years old** and **not** a Braze employee, contractor, or vendor.  \n* Use **one** HackerOne profile (duplicate accounts = program ban).  \n* Not reside in a country subject to comprehensive U.S. sanctions.  \n* Follow all program rules \u0026 HackerOne's Code of Conduct.  \n* Stop testing and report immediately if you encounter customer/employee data, pre-release content, or other confidential information.\n\n---\n\n3 Account Setup \u0026 Test Plan\n--------------------------\n1. **Register** your primary test account as ``\u003ch1-username\u003e`` on the signup page:  \n   \u003chttps://bug-bounty.k8s.tools-001.d-use-1.braze.com/\u003e  \n   *This registration site is **not** in scope for testing.*  \n   Extra users: append `+1`, `+2`, … (e.g. `alice+1`). Confirmation arrives at your @wearehackerone.com email alias.  \n2. **Use headers:**\n\n    | Identifier | Format |\n    |-----------------|-------------------------------------------|\n    | Your Username | `X-Bug-Bounty: HackerOne-\u003cusername\u003e` |\n    | Tool Identifier | `X-Bug-Bounty: \u003ctoolname\u003e` |\n\n3. **Do not** submit Dashboard forms that reach Braze Support or other internal teams.  \n4. Keep request rates under **100 r/s** — this is a shared staging cluster.\n\n---\n\n4 In-Scope Assets\n--------------------------\n| Host | Purpose |\n|------|---------|\n| `https://bug-bounty-rest.k8s.tools-001.d-use-1.braze-dev.com` | REST API |\n| `https://bug-bounty-dashboard.k8s.tools-001.d-use-1.braze-dev.com` | Web UI |\n| `https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com` | GraphQL / misc API |\n\n**`⚠ Links inside these hosts may point to production. Do not  follow or test them.`**\n\n---\n\n5 Rules of Engagement\n--------------------------\n* **No automated scanners** (e.g., Nuclei) or bulk discovery scans.  \n* **No social engineering** or contact with Braze employees, customers, or vendors.  \n* **No DoS / DDoS / stress testing.**  \n* Test only with accounts you own; do not test on production sites.  \n* Submit one vulnerability per report unless chaining is needed to show impact.  \n* Stored XSS must execute on an in-scope domain **and** access that domain's DOM/cookies.  \n* Access-control reports must include the exact roles/permissions of every account used.  \n* Rate-limit bypass reports must demonstrate security impact, not just traffic volume. \n\n***⚠️ Enforcement***\n* Any violation of the Rules of Engagement—especially testing **outside the three bug-bounty \\*.braze-dev.com hosts** will result in **immediate removal from the Braze program and loss of future eligibility**.\n\n---\n\n6 Ongoing Exclusions\n--------------------------\n* **Tags feature** – any vulnerability involving creation, deletion, or update of Tags is out of scope until systemic issues are resolved (we'll announce when they return).  \n* Org-local data only – user-data exposure that affects **only your own org** is out of scope; show cross-org impact to qualify.  \n* DMARC/SPF issues, localhost / `0.0.0.0` SSRF, cosmetic bugs, and rate-limit findings on this dev cluster.  \n* Discovery-only results (port scanning, subdomain enumeration, Google dorks, etc.).  \n* Tests requiring physical device access.\n\n---\n\n7 Known Issues (not bounty eligible)\n--------------------------\nThe items below are accepted risk or exist only in the test environment. Reports will be closed **duplicate** or **informative**:\n\n* **Dashboard breakage via invalid parameters** – Reports that only make a dashboard feature fail to load for users in your own org are considered product bugs (effective 15 May 2025). Eligible only if an unauthorized user can trigger it **or** it disrupts all orgs.  \n* Cross-Origin Request Trust when uploading users or user profile images.  \n* CSV injection on user upload.  \n* Several horizontal IDOR patterns currently under remediation — higher duplicate probability.  \n* Webhook SSRF reachable only to `0.0.0.0` / other localhost variants.  \n* Editor XSS – payloads that fire only on the separate editor domain and cannot access the dashboard's DOM/cookies are out of scope. Stored XSS must fire in the dashboard context to be eligible.  \n* Disclosure of Internal Groups/Test Users (this is just test data).\n\n---\n\n8 Documentation\n--------------------------\n* **User Docs** – \u003chttps://www.braze.com/docs/\u003e  \n* **Role Management** – \u003chttps://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\u003e  \n* **API Docs** – \u003chttps://www.braze.com/docs/api/basics/\u003e\n\n---\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-15T23:50:52.939Z"},{"id":3759116,"new_policy":"**Quick summary**\n=====================\n* Test **only** the three *bug-bounty-*.braze-dev.com hosts listed below — **all other Braze domains are out of scope**  \n* No automated scanners, DoS, or large-scale discovery scans  \n* Use **one** test-account pattern: `h1-username[+N]@wearehackerone.com`  \n* Never contact Braze staff, customers, or vendors  \n* Questions about scope → security@braze.com  \n* All Tags-related findings are temporarily out of scope  \n\n---\n\n1 Program Overview\n--------------------------\n* Braze welcomes security researchers to help protect our customers and platform.  \n* This policy explains the rules of engagement, eligible targets, and reporting expectations.\n\n## Response Targets\n| Stage | Target (business days) |\n|-------|------------------------|\n| First response | 2 |\n| Time to triage | 2 |\n| Time to bounty | 90 |\n| Time to resolution | Varies by severity | \n\n---\n\n2 Eligibility Guidelines\n--------------------------\n* Be at least **18 years old** and **not** a Braze employee, contractor, or vendor.  \n* Use **one** HackerOne profile (duplicate accounts = program ban).  \n* Not reside in a country subject to comprehensive U.S. sanctions.  \n* Follow all program rules \u0026 HackerOne's Code of Conduct.  \n* Stop testing and report immediately if you encounter customer/employee data, pre-release content, or other confidential information.\n\n---\n\n3 Account Setup \u0026 Test Plan\n--------------------------\n1. **Register** your primary test account as ``\u003ch1-username\u003e`` on the signup page:  \n   \u003chttps://bug-bounty.k8s.tools-001.d-use-1.braze.com/\u003e  \n   *This registration site is **not** in scope for testing.*  \n   Extra users: append `+1`, `+2`, … (e.g. `alice+1`). Confirmation arrives at your @wearehackerone.com email alias.  \n2. **Use headers:**\n\n    | Identifier | Format |\n    |-----------------|-------------------------------------------|\n    | Your Username | `X-Bug-Bounty: HackerOne-\u003cusername\u003e` |\n    | Tool Identifier | `X-Bug-Bounty: \u003ctoolname\u003e` |\n\n3. **Do not** submit Dashboard forms that reach Braze Support or other internal teams.  \n4. Keep request rates under **100 r/s** — this is a shared staging cluster.\n\n---\n\n4 In-Scope Assets\n--------------------------\n| Host | Purpose |\n|------|---------|\n| `https://bug-bounty-rest.k8s.tools-001.d-use-1.braze-dev.com` | REST API |\n| `https://bug-bounty-dashboard.k8s.tools-001.d-use-1.braze-dev.com` | Web UI |\n| `https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com` | GraphQL / misc API |\n\n`⚠ **Links inside these hosts may point to production. Do *not* follow or test them.**`\n\n---\n\n5 Rules of Engagement\n--------------------------\n* **No automated scanners** (e.g., Nuclei) or bulk discovery scans.  \n* **No social engineering** or contact with Braze employees, customers, or vendors.  \n* **No DoS / DDoS / stress testing.**  \n* Test only with accounts you own; do not test on production sites.  \n* Submit one vulnerability per report unless chaining is needed to show impact.  \n* Stored XSS must execute on an in-scope domain **and** access that domain's DOM/cookies.  \n* Access-control reports must include the exact roles/permissions of every account used.  \n* Rate-limit bypass reports must demonstrate security impact, not just traffic volume. \n\n***⚠️ Enforcement***\n* Any violation of the Rules of Engagement—especially testing **outside the three bug-bounty \\*.braze-dev.com hosts** will result in **immediate removal from the Braze program and loss of future eligibility**.\n\n---\n\n6 Ongoing Exclusions\n--------------------------\n* **Tags feature** – any vulnerability involving creation, deletion, or update of Tags is out of scope until systemic issues are resolved (we'll announce when they return).  \n* Org-local data only – user-data exposure that affects **only your own org** is out of scope; show cross-org impact to qualify.  \n* DMARC/SPF issues, localhost / `0.0.0.0` SSRF, cosmetic bugs, and rate-limit findings on this dev cluster.  \n* Discovery-only results (port scanning, subdomain enumeration, Google dorks, etc.).  \n* Tests requiring physical device access.\n\n---\n\n7 Known Issues (not bounty eligible)\n--------------------------\nThe items below are accepted risk or exist only in the test environment. Reports will be closed **duplicate** or **informative**:\n\n* **Dashboard breakage via invalid parameters** – Reports that only make a dashboard feature fail to load for users in your own org are considered product bugs (effective 15 May 2025). Eligible only if an unauthorized user can trigger it **or** it disrupts all orgs.  \n* Cross-Origin Request Trust when uploading users or user profile images.  \n* CSV injection on user upload.  \n* Several horizontal IDOR patterns currently under remediation — higher duplicate probability.  \n* Webhook SSRF reachable only to `0.0.0.0` / other localhost variants.  \n* Editor XSS – payloads that fire only on the separate editor domain and cannot access the dashboard's DOM/cookies are out of scope. Stored XSS must fire in the dashboard context to be eligible.  \n* Disclosure of Internal Groups/Test Users (this is just test data).\n\n---\n\n8 Documentation\n--------------------------\n* **User Docs** – \u003chttps://www.braze.com/docs/\u003e  \n* **Role Management** – \u003chttps://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\u003e  \n* **API Docs** – \u003chttps://www.braze.com/docs/api/basics/\u003e\n\n---\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-15T23:43:49.713Z"},{"id":3759115,"new_policy":"**Quick summary**\n=====================\n* Test **only** the three *bug-bounty-*.braze-dev.com hosts listed below — **all other Braze domains are out of scope**  \n* No automated scanners, DoS, or large-scale discovery scans  \n* Use **one** test-account pattern: `h1-username[+N]@wearehackerone.com`  \n* Never contact Braze staff, customers, or vendors  \n* Questions about scope → security@braze.com  \n* All Tags-related findings are temporarily out of scope  \n\n---\n\n1 Program Overview\n--------------------------\nBraze welcomes security researchers to help protect our customers and platform.  \nThis policy explains the rules of engagement, eligible targets, and reporting expectations.\n\n## Response Targets\n| Stage | Target (business days) |\n|-------|------------------------|\n| First response | 2 |\n| Time to triage | 2 |\n| Time to bounty | 90 |\n| Time to resolution | Varies by severity | \n\n---\n\n2 Eligibility Guidelines\n--------------------------\n* Be at least **18 years old** and **not** a Braze employee, contractor, or vendor.  \n* Use **one** HackerOne profile (duplicate accounts = program ban).  \n* Not reside in a country subject to comprehensive U.S. sanctions.  \n* Follow all program rules \u0026 HackerOne's Code of Conduct.  \n* Stop testing and report immediately if you encounter customer/employee data, pre-release content, or other confidential information.\n\n---\n\n3 Account Setup \u0026 Test Plan\n--------------------------\n1. **Register** your primary test account as ``\u003ch1-username\u003e`` on the signup page:  \n   \u003chttps://bug-bounty.k8s.tools-001.d-use-1.braze.com/\u003e  \n   *This registration site is **not** in scope for testing.*  \n   Extra users: append `+1`, `+2`, … (e.g. `alice+1`). Confirmation arrives at your @wearehackerone.com email alias.  \n2. **Use headers:**\n\n    | Identifier | Format |\n    |-----------------|-------------------------------------------|\n    | Your Username | `X-Bug-Bounty: HackerOne-\u003cusername\u003e` |\n    | Tool Identifier | `X-Bug-Bounty: \u003ctoolname\u003e` |\n\n3. **Do not** submit Dashboard forms that reach Braze Support or other internal teams.  \n4. Keep request rates under **100 r/s** — this is a shared staging cluster.\n\n---\n\n4 In-Scope Assets\n--------------------------\n| Host | Purpose |\n|------|---------|\n| `https://bug-bounty-rest.k8s.tools-001.d-use-1.braze-dev.com` | REST API |\n| `https://bug-bounty-dashboard.k8s.tools-001.d-use-1.braze-dev.com` | Web UI |\n| `https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com` | GraphQL / misc API |\n\n⚠ **Links inside these hosts may point to production. Do *not* follow or test them.**\n\n---\n\n5 Rules of Engagement\n--------------------------\n* **No automated scanners** (e.g., Nuclei) or bulk discovery scans.  \n* **No social engineering** or contact with Braze employees, customers, or vendors.  \n* **No DoS / DDoS / stress testing.**  \n* Test only with accounts you own; do not test on production sites.  \n* Submit one vulnerability per report unless chaining is needed to show impact.  \n* Stored XSS must execute on an in-scope domain **and** access that domain's DOM/cookies.  \n* Access-control reports must include the exact roles/permissions of every account used.  \n* Rate-limit bypass reports must demonstrate security impact, not just traffic volume. \n\n***⚠️ Enforcement***\n* Any violation of the Rules of Engagement—especially testing **outside the three bug-bounty \\*.braze-dev.com hosts** will result in **immediate removal from the Braze program and loss of future eligibility**.\n\n---\n\n6 Ongoing Exclusions\n--------------------------\n* **Tags feature** – any vulnerability involving creation, deletion, or update of Tags is out of scope until systemic issues are resolved (we'll announce when they return).  \n* Org-local data only – user-data exposure that affects **only your own org** is out of scope; show cross-org impact to qualify.  \n* DMARC/SPF issues, localhost / `0.0.0.0` SSRF, cosmetic bugs, and rate-limit findings on this dev cluster.  \n* Discovery-only results (port scanning, subdomain enumeration, Google dorks, etc.).  \n* Tests requiring physical device access.\n\n---\n\n7 Known Issues (not bounty eligible)\n--------------------------\nThe items below are accepted risk or exist only in the test environment. Reports will be closed **duplicate** or **informative**:\n\n* **Dashboard breakage via invalid parameters** – Reports that only make a dashboard feature fail to load for users in your own org are considered product bugs (effective 15 May 2025). Eligible only if an unauthorized user can trigger it **or** it disrupts all orgs.  \n* Cross-Origin Request Trust when uploading users or user profile images.  \n* CSV injection on user upload.  \n* Several horizontal IDOR patterns currently under remediation — higher duplicate probability.  \n* Webhook SSRF reachable only to `0.0.0.0` / other localhost variants.  \n* Editor XSS – payloads that fire only on the separate editor domain and cannot access the dashboard's DOM/cookies are out of scope. Stored XSS must fire in the dashboard context to be eligible.  \n* Disclosure of Internal Groups/Test Users (this is just test data).\n\n---\n\n8 Documentation\n--------------------------\n* **User Docs** – \u003chttps://www.braze.com/docs/\u003e  \n* **Role Management** – \u003chttps://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\u003e  \n* **API Docs** – \u003chttps://www.braze.com/docs/api/basics/\u003e\n\n---\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-15T23:17:11.112Z"},{"id":3759114,"new_policy":"##  **Quick summary**  \n* Test **only** the three *bug-bounty-*.braze-dev.com hosts listed below — **all other Braze domains are out of scope**  \n* No automated scanners, DoS, or large-scale discovery scans  \n* Use **one** test-account pattern: `h1-username[+N]@wearehackerone.com`  \n* Never contact Braze staff, customers, or vendors  \n* Questions about scope → security@braze.com  \n* All Tags-related findings are temporarily out of scope  \n\n---\n\n## **1 Program Overview**\nBraze welcomes security researchers to help protect our customers and platform.  \nThis policy explains the rules of engagement, eligible targets, and reporting expectations.\n\n## Response Targets\n| Stage | Target (business days) |\n|-------|------------------------|\n| First response | 2 |\n| Time to triage | 2 |\n| Time to bounty | 90 |\n| Time to resolution | Varies by severity |\n\n---\n\n## 2 Eligibility Guidelines\n* Be at least **18 years old** and **not** a Braze employee, contractor, or vendor.  \n* Use **one** HackerOne profile (duplicate accounts = program ban).  \n* Not reside in a country subject to comprehensive U.S. sanctions.  \n* Follow all program rules \u0026 HackerOne's Code of Conduct.  \n* Stop testing and report immediately if you encounter customer/employee data, pre-release content, or other confidential information.\n\n---\n\n## 3 Account Setup \u0026 Test Plan\n1. **Register** your primary test account as ``\u003ch1-username\u003e`` on the signup page:  \n   \u003chttps://bug-bounty.k8s.tools-001.d-use-1.braze.com/\u003e  \n   *This registration site is **not** in scope for testing.*  \n   Extra users: append `+1`, `+2`, … (e.g. `alice+1`). Confirmation arrives at your @wearehackerone.com email alias.  \n2. **Use headers:**\n\n    | Identifier | Format |\n    |-----------------|-------------------------------------------|\n    | Your Username | `X-Bug-Bounty: HackerOne-\u003cusername\u003e` |\n    | Tool Identifier | `X-Bug-Bounty: \u003ctoolname\u003e` |\n\n3. **Do not** submit Dashboard forms that reach Braze Support or other internal teams.  \n4. Keep request rates under **100 r/s** — this is a shared staging cluster.\n\n---\n\n## 4 In-Scope Assets\n| Host | Purpose |\n|------|---------|\n| `https://bug-bounty-rest.k8s.tools-001.d-use-1.braze-dev.com` | REST API |\n| `https://bug-bounty-dashboard.k8s.tools-001.d-use-1.braze-dev.com` | Web UI |\n| `https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com` | GraphQL / misc API |\n\n⚠ **Links inside these hosts may point to production. Do *not* follow or test them.**\n\n---\n\n## 5 Rules of Engagement\n* **No automated scanners** (e.g., Nuclei) or bulk discovery scans.  \n* **No social engineering** or contact with Braze employees, customers, or vendors.  \n* **No DoS / DDoS / stress testing.**  \n* Test only with accounts you own; do not test on production sites.  \n* Submit one vulnerability per report unless chaining is needed to show impact.  \n* Stored XSS must execute on an in-scope domain **and** access that domain's DOM/cookies.  \n* Access-control reports must include the exact roles/permissions of every account used.  \n* Rate-limit bypass reports must demonstrate security impact, not just traffic volume. \n\n***⚠️ Enforcement***\n* Any violation of the Rules of Engagement—especially testing **outside the three bug-bounty \\*.braze-dev.com hosts** will result in **immediate removal from the Braze program and loss of future eligibility**.\n\n---\n\n## 6 Ongoing Exclusions\n* **Tags feature** – any vulnerability involving creation, deletion, or update of Tags is out of scope until systemic issues are resolved (we'll announce when they return).  \n* Org-local data only – user-data exposure that affects **only your own org** is out of scope; show cross-org impact to qualify.  \n* DMARC/SPF issues, localhost / `0.0.0.0` SSRF, cosmetic bugs, and rate-limit findings on this dev cluster.  \n* Discovery-only results (port scanning, subdomain enumeration, Google dorks, etc.).  \n* Tests requiring physical device access.\n\n---\n\n## 7 Known Issues (not bounty eligible)\nThe items below are accepted risk or exist only in the test environment. Reports will be closed **duplicate** or **informative**:\n\n* **Dashboard breakage via invalid parameters** – Reports that only make a dashboard feature fail to load for users in your own org are considered product bugs (effective 15 May 2025). Eligible only if an unauthorized user can trigger it **or** it disrupts all orgs.  \n* Cross-Origin Request Trust when uploading users or user profile images.  \n* CSV injection on user upload.  \n* Several horizontal IDOR patterns currently under remediation — higher duplicate probability.  \n* Webhook SSRF reachable only to `0.0.0.0` / other localhost variants.  \n* Editor XSS – payloads that fire only on the separate editor domain and cannot access the dashboard's DOM/cookies are out of scope. Stored XSS must fire in the dashboard context to be eligible.  \n* Disclosure of Internal Groups/Test Users (this is just test data).\n\n---\n\n## 8 Documentation\n* **User Docs** – \u003chttps://www.braze.com/docs/\u003e  \n* **Role Management** – \u003chttps://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\u003e  \n* **API Docs** – \u003chttps://www.braze.com/docs/api/basics/\u003e\n\n---\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-15T23:02:53.291Z"},{"id":3759113,"new_policy":"#  **Quick summary**  \n\u003e • Test **only** the three *bug-bounty-*.braze-dev.com hosts listed below — **all other Braze domains are out of scope**  \n\u003e • No automated scanners, DoS, or large-scale discovery scans  \n\u003e • Use **one** test-account pattern: `h1-username[+N]@wearehackerone.com`  \n\u003e • Never contact Braze staff, customers, or vendors  \n\u003e • Questions about scope → security@braze.com  \n\u003e • All Tags-related findings are temporarily out of scope  \n\n---\n\n## 1 Program Overview\nBraze welcomes security researchers to help protect our customers and platform.  \nThis policy explains the rules of engagement, eligible targets, and reporting expectations.\n\n### Response Targets\n| Stage | Target (business days) |\n|-------|------------------------|\n| First response | 2 |\n| Time to triage | 2 |\n| Time to bounty | 90 |\n| Time to resolution | Varies by severity |\n\n---\n\n## 2 Eligibility Guidelines\n* Be at least **18 years old** and **not** a Braze employee, contractor, or vendor.  \n* Use **one** HackerOne profile (duplicate accounts = program ban).  \n* Not reside in a country subject to comprehensive U.S. sanctions.  \n* Follow all program rules \u0026 HackerOne's Code of Conduct.  \n* Stop testing and report immediately if you encounter customer/employee data, pre-release content, or other confidential information.\n\n---\n\n## 3 Account Setup \u0026 Test Plan\n1. **Register** your primary test account as ``\u003ch1-username\u003e`` on the signup page:  \n   \u003chttps://bug-bounty.k8s.tools-001.d-use-1.braze.com/\u003e  \n   *This registration site is **not** in scope for testing.*  \n   Extra users: append `+1`, `+2`, … (e.g. `alice+1`). Confirmation arrives at your @wearehackerone.com email alias.  \n2. **Use headers:**\n| Identifier      | Format                                   |\n|-----------------|-------------------------------------------|\n| Your Username   | `X-Bug-Bounty: HackerOne-\u003cusername\u003e`      |\n| Tool Identifier | `X-Bug-Bounty: \u003ctoolname\u003e`                |\n3. **Do not** submit Dashboard forms that reach Braze Support or other internal teams.  \n4. Keep request rates under 100 r/s — this is a shared staging cluster.\n\n---\n\n## 4 In-Scope Assets\n| Host | Purpose |\n|------|---------|\n| `https://bug-bounty-rest.k8s.tools-001.d-use-1.braze-dev.com` | REST API |\n| `https://bug-bounty-dashboard.k8s.tools-001.d-use-1.braze-dev.com` | Web UI |\n| `https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com` | GraphQL / misc API |\n\n⚠ **Links inside these hosts may point to production. Do *not* follow or test them.**\n\n---\n\n## 5 Rules of Engagement\n* **No automated scanners** (e.g., Nuclei) or bulk discovery scans.  \n* **No social engineering** or contact with Braze employees, customers, or vendors.  \n* **No DoS / DDoS / stress testing.**  \n* Test only with accounts you own; do not test on production sites.  \n* Submit one vulnerability per report unless chaining is needed to show impact.  \n* Stored XSS must execute on an in-scope domain **and** access that domain's DOM/cookies.  \n* Access-control reports must include the exact roles/permissions of every account used.  \n* Rate-limit bypass reports must demonstrate security impact, not just traffic volume. \n\n**⚠️ Enforcement**  \n\u003e Any violation of the Rules of Engagement—especially testing **outside the three\n\u003e bug-bounty *.braze-dev.com hosts**—will result in **immediate removal from the Braze\n\u003e program and loss of future eligibility.**\n\n---\n\n## 6 Ongoing Exclusions\n* **Tags feature** – any vulnerability involving creation, deletion, or update of Tags is out of scope until systemic issues are resolved (we'll announce when they return).  \n* Org-local data only – user-data exposure that affects **only your own org** is out of scope; show cross-org impact to qualify.  \n* DMARC/SPF issues, localhost / `0.0.0.0` SSRF, cosmetic bugs, and rate-limit findings on this dev cluster.  \n* Discovery-only results (port scanning, subdomain enumeration, Google dorks, etc.).  \n* Tests requiring physical device access.\n\n---\n\n## 7 Known Issues (not bounty eligible)\nThe items below are accepted risk or exist only in the test environment. Reports will be closed **duplicate** or **informative**:\n\n* **Dashboard breakage via invalid parameters** – Reports that only make a dashboard feature fail to load for users in your own org are considered product bugs (effective 15 May 2025). Eligible only if an unauthorized user can trigger it **or** it disrupts all orgs.  \n* Cross-Origin Request Trust when uploading users or user profile images.  \n* CSV injection on user upload.  \n* Several horizontal IDOR patterns currently under remediation — higher duplicate probability.  \n* Webhook SSRF reachable only to `0.0.0.0` / other localhost variants.  \n* Editor XSS – payloads that fire only on the separate editor domain and cannot access the dashboard's DOM/cookies are out of scope. Stored XSS must fire in the dashboard context to be eligible.  \n* Disclosure of Internal Groups/Test Users (this is just test data).\n\n---\n\n## 8 Documentation\n* **User Docs** – \u003chttps://www.braze.com/docs/\u003e  \n* **Role Management** – \u003chttps://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\u003e  \n* **API Docs** – \u003chttps://www.braze.com/docs/api/basics/\u003e\n\n---\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-15T22:12:39.417Z"},{"id":3757596,"new_policy":"** * We have received many reports that are around 'breaking' functionality for users of the Dashboard and making it so an item/feature will not load or other impacts to availability of features due to improper values sent in for parameters. Starting on May 15, 2025, any report around this *will not* be accepted as a valid security concern, unless the activity can be performed by a user that should not have access to the functionality or there is other clear security impact. These are considered 'product bugs' and not security issues, and we are unable to accept product bugs on this program. For these issues to be accepted moving forward they will need to have impact that extends past that of preventing users of the same Org from accessing a specific feature and would have to impact all users of the dashboard (including those from other organizations), or atleast be able to perform the attack Cross-Org to impact people outside of your organization. **\n\n==\u003e **🚨 Important - activity that will get you removed from the Braze program:**==\n\u003e\n\u003e **• No automated scanners (e.g., Nuclei or similar).**  \n\u003e **• Test only in‑scope assets. Anything else is prohibited.**  \nOnly test on: \n- [https://bug-bounty-rest.k8s.tools-001.d-use-1.braze-dev.com/](https://bug-bounty-rest.k8s.tools-001.d-use-1.braze-dev.com/)\n- [https://bug-bounty-dashboard.k8s.tools-001.d-use-1.braze-dev.com/](https://bug-bounty-dashboard.k8s.tools-001.d-use-1.braze-dev.com/)\n- [https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/](https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/)\n\n\u003e **• Do not contact or interact with Braze Support, employees, vendors, customers, or any accounts you do not own.**  \n\u003e **• Create test accounts with your @wearehackerone.com alias only.**\n\n\n# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n*Use your hacker email alias when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Account Registration\n- Register accounts using your `\u003cusername\u003e@wearehackerone.com` address.\n- To create additional accounts, use the `+N` format:\n  - `\u003cusername\u003e+1@wearehackerone.com`\n  - `\u003cusername\u003e+2@wearehackerone.com`\n  - etc.\n\n\u003e ⚠️ **Reports from users not utilizing their @wearehackerone.com alias will be ineligible for bounty.**  \n\u003e ❌ **Any accounts created without using the hacker email alias will be removed.**  \n\u003e 🚫 **Repeated violators of this process will be banned from this program.**\n\n#### 📌 Header Guidelines\n\nInclude custom headers in **all requests** where possible:\n\n| Identifier        | Format                                 |\n|-------------------|-----------------------------------------|\n| **Your Username** | `X-Bug-Bounty: HackerOne-\u003cusername\u003e`     |\n| **Tool Identifier** | `X-Bug-Bounty: \u003ctoolname\u003e`              |\n\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n* When testing the application, please make sure that before reporting Client Side vulnerabilities (example: changing a `false` value to `true` and a new part of the UI being displayed) you confirm that the newly exposed functionality actually works. Just being able to see the UI after changing a false -\u003e true will not be enough to be accepted, and it will be required to show that the functionality can actually be used. \n* When reporting access control related issues, the report **must** contain the exact permissions of all accounts involved, as this is required for us to triage the issue, and no reports will be triaged until this information is provided.\n\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n* When filing a report around access control issues, please include the exact permissions that each user in the attack/exploit have been granted, as these will be required in order to triage the report.\n\n# Please Note!\n** * The Manager Dashboard Users permission is ment to be able to create users of ANY permission level, even those exceeding their own. This is working as designed, and reports around this will not be accepted. **\n** * Functionality that is considered Under Development, or in 'Alpha' stages are not in scope of the program. These features are actively under development, and have not gone through internal security reviews/pentests and reports on this functionality will not be accepted until it moves into a Beta or GA release. **\n** * The Manage Company Settings permission is considered an Admin-like permission. As such, any user with this permission is explicitly expected to be able to access anything that is under the Company Settings Section of the Dashboard. (examples: Admin Settings, Billing, Company Users, Permission Settings). Any reports around the accessing of anything in this section for users that have the Manage Company Settings permission will not be accepted and will be closed. **\n\n# Out of Scope\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues  will not be accepted for this program. The testing server does not have the WAF or other protections that Production servers have in an effort to make testing easier. \n\nAny attack requiring physical access to a device will not likely be accepted.\n\nAs mentioned in the latest announcement on Bugcrowd from 02/10/2025, Tags (their creation, deletion or update) is currently out of scope while we work to address a systemic issue related to them. A new announcement will be made once they come back in scope. This includes all vulnerabilities that are related to tags. If the use of Tags is required as part of the vulnerability, it will not be accepted while we work to address widespread issues with the tags feature.\n\n# Known Issues\nThe following are issues known to Braze, and are the process of being fixed or considered accepted risk because of only existing in the test enviroment. Please do not report the following, as they will be rejected and not count for points or reward:\n\n* Cross Origin Request Trust - When uploading users, a users profile image\n* CSV Injection - When uploading users.\n* Several horizontal idors are currently known issues, so any reports about these have a higher duplicate likelyhood than other bug types. So please keep this in mind during your testing.\n* There is a known issue with an SSRF in the webhooks that can access the IP address 0.0.0.0 any reports for this vulnerability will be marked as duplicates. The vulnerability has been fixed in our production and staging instances, but due to a configuration issue that exists in the environment our Bug Bounty server is run in, the fix can not be implemented on the server at this time. This includes any other iteration of localhost, and in order for an SSRF to be accepted, you will be required to show the ability to bypass the protections and access another host within the internal network, for any internal host other than localhost or the default kubernetes host. Port scanning is not enough to be accepted on this program.\n* When testing for XSS attacks, please make note that only reports that have the XSS trigger on the in-scope domain will be accepted or rewarded and must have access to the dom object of the in-scope domain to be accepted. We have begun rolling out a change that moves the editors and other functionality to a seperate domain to limit/negate the impact of XSS attacks. Payloads that fire on the 2nd domain, or that can not access the context/cookies of the parent in-scope domain will not be accepted moving forward. Currently the Classic HTML editor has been migrated, and the other editors are in the process as well. The domain that contains some of  Editors contain cookies that are nearly identical to the dashboard, but without a session id.  For a stored XSS to be accepted, we have to see that it can trigger in the context of the inscope domain, this can be done by performing some kind of action on the dashboard (update a profile for example since all users can update their profile), so that it can be shown that it has access to the inscope domains dom and cookie.\n* Disclosing information about Internal Groups/Test Users will not be accepted, as these are test users and do not map back to legitimate users or data.\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-06-16T15:43:14.710Z"},{"id":3756973,"new_policy":"** * We have received many reports that are around 'breaking' functionality for users of the Dashboard and making it so an item/feature will not load or other impacts to availability of features due to improper values sent in for parameters. Starting on May 15, 2025, any report around this *will not* be accepted as a valid security concern, unless the activity can be performed by a user that should not have access to the functionality or there is other clear security impact. These are considered 'product bugs' and not security issues, and we are unable to accept product bugs on this program. For these issues to be accepted moving forward they will need to have impact that extends past that of preventing users of the same Org from accessing a specific feature and would have to impact all users of the dashboard (including those from other organizations), or atleast be able to perform the attack Cross-Org to impact people outside of your organization. **\n\n==\u003e **🚨 Important - activity that will get you removed from the Braze program:**==\n\u003e\n\u003e **• No automated scanners (e.g., Nuclei or similar).**  \n\u003e **• Test only in‑scope assets. Anything else is prohibited.**  \nOnly test on: \n- [https://bug-bounty-rest.k8s.tools-001.d-use-1.braze-dev.com/](https://bug-bounty-rest.k8s.tools-001.d-use-1.braze-dev.com/)\n- [https://bug-bounty-dashboard.k8s.tools-001.d-use-1.braze-dev.com/](https://bug-bounty-dashboard.k8s.tools-001.d-use-1.braze-dev.com/)\n- [https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/](https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/)\n\n\u003e **• Do not contact or interact with Braze Support, employees, vendors, customers, or any accounts you do not own.**  \n\u003e **• Create test accounts with your @wearehackerone.com alias only.**\n\n\n# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n*Use your hacker email alias when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Account Registration\n- Register accounts using your `\u003cusername\u003e@wearehackerone.com` address.\n- To create additional accounts, use the `+N` format:\n  - `\u003cusername\u003e+1@wearehackerone.com`\n  - `\u003cusername\u003e+2@wearehackerone.com`\n  - etc.\n\n\u003e ⚠️ **Reports from users not utilizing their @wearehackerone.com alias will be ineligible for bounty.**  \n\u003e ❌ **Any accounts created without using the hacker email alias will be removed.**  \n\u003e 🚫 **Repeated violators of this process will be banned from this program.**\n\n#### 📌 Header Guidelines\n\nInclude custom headers in **all requests** where possible:\n\n| Identifier        | Format                                 |\n|-------------------|-----------------------------------------|\n| **Your Username** | `X-Bug-Bounty: HackerOne-\u003cusername\u003e`     |\n| **Tool Identifier** | `X-Bug-Bounty: \u003ctoolname\u003e`              |\n\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n* When testing the application, please make sure that before reporting Client Side vulnerabilities (example: changing a `false` value to `true` and a new part of the UI being displayed) you confirm that the newly exposed functionality actually works. Just being able to see the UI after changing a false -\u003e true will not be enough to be accepted, and it will be required to show that the functionality can actually be used. \n* When reporting access control related issues, the report **must** contain the exact permissions of all accounts involved, as this is required for us to triage the issue, and no reports will be triaged until this information is provided.\n\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n* When filing a report around access control issues, please include the exact permissions that each user in the attack/exploit have been granted, as these will be required in order to triage the report.\n\n# Please Note!\n** * The Manager Dashboard Users permission is ment to be able to create users of ANY permission level, even those exceeding their own. This is working as designed, and reports around this will not be accepted. **\n** * Functionality that is considered Under Development, or in 'Alpha' stages are not in scope of the program. These features are actively under development, and have not gone through internal security reviews/pentests and reports on this functionality will not be accepted until it moves into a Beta or GA release. **\n** * The Manage Company Settings permission is considered an Admin-like permission. As such, any user with this permission is explicitly expected to be able to access anything that is under the Company Settings Section of the Dashboard. (examples: Admin Settings, Billing, Company Users, Permission Settings). Any reports around the accessing of anything in this section for users that have the Manage Company Settings permission will not be accepted and will be closed. **\n\n# Out of Scope\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues  will not be accepted for this program. The testing server does not have the WAF or other protections that Production servers have in an effort to make testing easier. \n\nAny attack requiring physical access to a device will not likely be accepted.\n\nAs mentioned in the latest announcement on Bugcrowd from 02/10/2025, Tags (their creation, deletion or update) is currently out of scope while we work to address a systemic issue related to them. A new announcement will be made once they come back in scope.\n\n# Known Issues\nThe following are issues known to Braze, and are the process of being fixed or considered accepted risk because of only existing in the test enviroment. Please do not report the following, as they will be rejected and not count for points or reward:\n\n* Cross Origin Request Trust - When uploading users, a users profile image\n* CSV Injection - When uploading users.\n* Several horizontal idors are currently known issues, so any reports about these have a higher duplicate likelyhood than other bug types. So please keep this in mind during your testing.\n* There is a known issue with an SSRF in the webhooks that can access the IP address 0.0.0.0 any reports for this vulnerability will be marked as duplicates. The vulnerability has been fixed in our production and staging instances, but due to a configuration issue that exists in the environment our Bug Bounty server is run in, the fix can not be implemented on the server at this time. This includes any other iteration of localhost, and in order for an SSRF to be accepted, you will be required to show the ability to bypass the protections and access another host within the internal network, for any internal host other than localhost or the default kubernetes host. Port scanning is not enough to be accepted on this program.\n* When testing for XSS attacks, please make note that only reports that have the XSS trigger on the in-scope domain will be accepted or rewarded and must have access to the dom object of the in-scope domain to be accepted. We have begun rolling out a change that moves the editors and other functionality to a seperate domain to limit/negate the impact of XSS attacks. Payloads that fire on the 2nd domain, or that can not access the context/cookies of the parent in-scope domain will not be accepted moving forward. Currently the Classic HTML editor has been migrated, and the other editors are in the process as well. The domain that contains some of  Editors contain cookies that are nearly identical to the dashboard, but without a session id.  For a stored XSS to be accepted, we have to see that it can trigger in the context of the inscope domain, this can be done by performing some kind of action on the dashboard (update a profile for example since all users can update their profile), so that it can be shown that it has access to the inscope domains dom and cookie.\n* Disclosing information about Internal Groups/Test Users will not be accepted, as these are test users and do not map back to legitimate users or data.\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-06-05T21:42:38.274Z"},{"id":3756956,"new_policy":"** * We have received many reports that are around 'breaking' functionality for users of the Dashboard and making it so an item/feature will not load due to improper values sent in for various parameters. Starting on May 15, 2025, any report around this will not be accepted as a valid security concern, unless the activity can be performed by a user that should not have access to the functionality. These are considered 'product bugs' and not security issues, and we are unable to accept product bugs on this program. For these issues to be accepted moving forward they will need to have impact that extends past that of preventing users of the same Org from accessing a specific feature and would have to impact all users of the dashboard (including those from other organizations), or atleast be able to perform the attack Cross-Org to impact people outside of your organization. **\n\n==\u003e **🚨 Important - activity that will get you removed from the Braze program:**==\n\u003e\n\u003e **• No automated scanners (e.g., Nuclei or similar).**  \n\u003e **• Test only in‑scope assets. Anything else is prohibited.**  \nOnly test on: \n- [https://bug-bounty-rest.k8s.tools-001.d-use-1.braze-dev.com/](https://bug-bounty-rest.k8s.tools-001.d-use-1.braze-dev.com/)\n- [https://bug-bounty-dashboard.k8s.tools-001.d-use-1.braze-dev.com/](https://bug-bounty-dashboard.k8s.tools-001.d-use-1.braze-dev.com/)\n- [https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/](https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/)\n\n\u003e **• Do not contact or interact with Braze Support, employees, vendors, customers, or any accounts you do not own.**  \n\u003e **• Create test accounts with your @wearehackerone.com alias only.**\n\n\n# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n*Use your hacker email alias when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Account Registration\n- Register accounts using your `\u003cusername\u003e@wearehackerone.com` address.\n- To create additional accounts, use the `+N` format:\n  - `\u003cusername\u003e+1@wearehackerone.com`\n  - `\u003cusername\u003e+2@wearehackerone.com`\n  - etc.\n\n\u003e ⚠️ **Reports from users not utilizing their @wearehackerone.com alias will be ineligible for bounty.**  \n\u003e ❌ **Any accounts created without using the hacker email alias will be removed.**  \n\u003e 🚫 **Repeated violators of this process will be banned from this program.**\n\n#### 📌 Header Guidelines\n\nInclude custom headers in **all requests** where possible:\n\n| Identifier        | Format                                 |\n|-------------------|-----------------------------------------|\n| **Your Username** | `X-Bug-Bounty: HackerOne-\u003cusername\u003e`     |\n| **Tool Identifier** | `X-Bug-Bounty: \u003ctoolname\u003e`              |\n\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n* When testing the application, please make sure that before reporting Client Side vulnerabilities (example: changing a `false` value to `true` and a new part of the UI being displayed) you confirm that the newly exposed functionality actually works. Just being able to see the UI after changing a false -\u003e true will not be enough to be accepted, and it will be required to show that the functionality can actually be used. \n* When reporting access control related issues, the report **must** contain the exact permissions of all accounts involved, as this is required for us to triage the issue, and no reports will be triaged until this information is provided.\n\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n* When filing a report around access control issues, please include the exact permissions that each user in the attack/exploit have been granted, as these will be required in order to triage the report.\n\n# Please Note!\n** * The Manager Dashboard Users permission is ment to be able to create users of ANY permission level, even those exceeding their own. This is working as designed, and reports around this will not be accepted. **\n** * Functionality that is considered Under Development, or in 'Alpha' stages are not in scope of the program. These features are actively under development, and have not gone through internal security reviews/pentests and reports on this functionality will not be accepted until it moves into a Beta or GA release. **\n** * The Manage Company Settings permission is considered an Admin-like permission. As such, any user with this permission is explicitly expected to be able to access anything that is under the Company Settings Section of the Dashboard. (examples: Admin Settings, Billing, Company Users, Permission Settings). Any reports around the accessing of anything in this section for users that have the Manage Company Settings permission will not be accepted and will be closed. **\n\n# Out of Scope\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues  will not be accepted for this program. The testing server does not have the WAF or other protections that Production servers have in an effort to make testing easier. \n\nAny attack requiring physical access to a device will not likely be accepted.\n\nAs mentioned in the latest announcement on Bugcrowd from 02/10/2025, Tags (their creation, deletion or update) is currently out of scope while we work to address a systemic issue related to them. A new announcement will be made once they come back in scope.\n\n# Known Issues\nThe following are issues known to Braze, and are the process of being fixed or considered accepted risk because of only existing in the test enviroment. Please do not report the following, as they will be rejected and not count for points or reward:\n\n* Cross Origin Request Trust - When uploading users, a users profile image\n* CSV Injection - When uploading users.\n* Several horizontal idors are currently known issues, so any reports about these have a higher duplicate likelyhood than other bug types. So please keep this in mind during your testing.\n* There is a known issue with an SSRF in the webhooks that can access the IP address 0.0.0.0 any reports for this vulnerability will be marked as duplicates. The vulnerability has been fixed in our production and staging instances, but due to a configuration issue that exists in the environment our Bug Bounty server is run in, the fix can not be implemented on the server at this time. This includes any other iteration of localhost, and in order for an SSRF to be accepted, you will be required to show the ability to bypass the protections and access another host within the internal network, for any internal host other than localhost or the default kubernetes host. Port scanning is not enough to be accepted on this program.\n* When testing for XSS attacks, please make note that only reports that have the XSS trigger on the in-scope domain will be accepted or rewarded and must have access to the dom object of the in-scope domain to be accepted. We have begun rolling out a change that moves the editors and other functionality to a seperate domain to limit/negate the impact of XSS attacks. Payloads that fire on the 2nd domain, or that can not access the context/cookies of the parent in-scope domain will not be accepted moving forward. Currently the Classic HTML editor has been migrated, and the other editors are in the process as well. The domain that contains some of  Editors contain cookies that are nearly identical to the dashboard, but without a session id.  For a stored XSS to be accepted, we have to see that it can trigger in the context of the inscope domain, this can be done by performing some kind of action on the dashboard (update a profile for example since all users can update their profile), so that it can be shown that it has access to the inscope domains dom and cookie.\n* Disclosing information about Internal Groups/Test Users will not be accepted, as these are test users and do not map back to legitimate users or data.\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-06-05T16:53:02.687Z"},{"id":3755808,"new_policy":"** * We have received many reports that are around 'breaking' functionality for users of the Dashboard and making it so an item/feature will not load due to improper values sent in for various parameters. Starting on May 15, 2025, any report around this will not be accepted as a valid security concern, unless the activity can be performed by a user that should not have access to the functionality. These are considered 'product bugs' and not security issues, and we are unable to accept product bugs on this program. For these issues to be accepted moving forward they will need to have impact that extends past that of preventing users of the same Org from accessing a specific feature and would have to impact all users of the dashboard (including those from other organizations), or atleast be able to perform the attack Cross-Org to impact people outside of your organization. **\n\n==\u003e **🚨 Important - activity that will get you removed from the Braze program:**==\n\u003e\n\u003e **• No automated scanners (e.g., Nuclei or similar).**  \n\u003e **• Test only in‑scope assets. Anything else is prohibited.**  \nOnly test on: \n- [https://bug-bounty-rest.k8s.tools-001.d-use-1.braze-dev.com/](https://bug-bounty-rest.k8s.tools-001.d-use-1.braze-dev.com/)\n- [https://bug-bounty-dashboard.k8s.tools-001.d-use-1.braze-dev.com/](https://bug-bounty-dashboard.k8s.tools-001.d-use-1.braze-dev.com/)\n- [https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/](https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/)\n\n\u003e **• Do not contact or interact with Braze Support, employees, vendors, customers, or any accounts you do not own.**  \n\u003e **• Create test accounts with your @wearehackerone.com alias only.**\n\n\n# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n*Use your hacker email alias when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Account Registration\n- Register accounts using your `\u003cusername\u003e@wearehackerone.com` address.\n- To create additional accounts, use the `+N` format:\n  - `\u003cusername\u003e+1@wearehackerone.com`\n  - `\u003cusername\u003e+2@wearehackerone.com`\n  - etc.\n\n\u003e ⚠️ **Reports from users not utilizing their @wearehackerone.com alias will be ineligible for bounty.**  \n\u003e ❌ **Any accounts created without using the hacker email alias will be removed.**  \n\u003e 🚫 **Repeated violators of this process will be banned from this program.**\n\n#### 📌 Header Guidelines\n\nInclude custom headers in **all requests** where possible:\n\n| Identifier        | Format                                 |\n|-------------------|-----------------------------------------|\n| **Your Username** | `X-Bug-Bounty: HackerOne-\u003cusername\u003e`     |\n| **Tool Identifier** | `X-Bug-Bounty: \u003ctoolname\u003e`              |\n\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n* When testing the application, please make sure that before reporting Client Side vulnerabilities (example: changing a `false` value to `true` and a new part of the UI being displayed) you confirm that the newly exposed functionality actually works. Just being able to see the UI after changing a false -\u003e true will not be enough to be accepted, and it will be required to show that the functionality can actually be used. \n* When reporting access control related issues, the report **must** contain the exact permissions of all accounts involved, as this is required for us to triage the issue, and no reports will be triaged until this information is provided.\n\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n* When filing a report around access control issues, please include the exact permissions that each user in the attack/exploit have been granted, as these will be required in order to triage the report.\n\n# Please Note!\n** * The Manager Dashboard Users permission is ment to be able to create users of ANY permission level, even those exceeding their own. This is working as designed, and reports around this will not be accepted. **\n** * Functionality that is considered Under Development, or in 'Alpha' stages are not in scope of the program. These features are actively under development, and have not gone through internal security reviews/pentests and reports on this functionality will not be accepted until it moves into a Beta or GA release. **\n** * The Manage Company Settings permission is considered an Admin-like permission. As such, any user with this permission is explicitly expected to be able to access anything that is under the Company Settings Section of the Dashboard. (examples: Admin Settings, Billing, Company Users, Permission Settings). Any reports around the accessing of anything in this section for users that have the Manage Company Settings permission will not be accepted and will be closed. **\n\n# Out of Scope\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues resulting in email flooding will not be accepted for this program.\n\nAny attack requiring physical access to a device will not likely be accepted.\n\nAs mentioned in the latest announcement on Bugcrowd from 02/10/2025, Tags (their creation, deletion or update) is currently out of scope while we work to address a systemic issue related to them. A new announcement will be made once they come back in scope.\n\n# Known Issues\nThe following are issues known to Braze, and are the process of being fixed or considered accepted risk because of only existing in the test enviroment. Please do not report the following, as they will be rejected and not count for points or reward:\n\n* Cross Origin Request Trust - When uploading users, a users profile image\n* CSV Injection - When uploading users.\n* Several horizontal idors are currently known issues, so any reports about these have a higher duplicate likelyhood than other bug types. So please keep this in mind during your testing.\n* There is a known issue with an SSRF in the webhooks that can access the IP address 0.0.0.0 any reports for this vulnerability will be marked as duplicates. The vulnerability has been fixed in our production and staging instances, but due to a configuration issue that exists in the environment our Bug Bounty server is run in, the fix can not be implemented on the server at this time. This includes any other iteration of localhost, and in order for an SSRF to be accepted, you will be required to show the ability to bypass the protections and access another host within the internal network, for any internal host other than localhost or the default kubernetes host. Port scanning is not enough to be accepted on this program.\n* When testing for XSS attacks, please make note that only reports that have the XSS trigger on the in-scope domain will be accepted or rewarded and must have access to the dom object of the in-scope domain to be accepted. We have begun rolling out a change that moves the editors and other functionality to a seperate domain to limit/negate the impact of XSS attacks. Payloads that fire on the 2nd domain, or that can not access the context/cookies of the parent in-scope domain will not be accepted moving forward. Currently the Classic HTML editor has been migrated, and the other editors are in the process as well. The domain that contains some of  Editors contain cookies that are nearly identical to the dashboard, but without a session id.  For a stored XSS to be accepted, we have to see that it can trigger in the context of the inscope domain, this can be done by performing some kind of action on the dashboard (update a profile for example since all users can update their profile), so that it can be shown that it has access to the inscope domains dom and cookie.\n* Disclosing information about Internal Groups/Test Users will not be accepted, as these are test users and do not map back to legitimate users or data.\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-16T18:23:12.005Z"},{"id":3755791,"new_policy":"** * We have received many reports that are around 'breaking' functionality for users of the Dashboard and making it so an item/feature will not load due to improper values sent in for various parameters. Starting on May 15, 2025, any report around this will not be accepted as a valid security concern, unless the activity can be performed by a user that should not have access to the functionality. These are considered 'product bugs' and not security issues, and we are unable to accept product bugs on this program. For these issues to be accepted moving forward they will need to have impact that extends past that of preventing users of the same Org from accessing a specific feature and would have to impact all users of the dashboard (including those from other organizations), or atleast be able to perform the attack Cross-Org to impact people outside of your organization. **\n\n==\u003e **🚨 Important - activity that will get you removed from the Braze program:**==\n\u003e\n\u003e **• No automated scanners (e.g., Nuclei or similar).**  \n\u003e **• Test only in‑scope assets. Anything else is prohibited.**  \n\u003e **• Do not contact or interact with Braze Support, employees, vendors, customers, or any accounts you do not own.**  \n\u003e **• Create test accounts with your @wearehackerone.com alias only.**\n\n\n# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n*Use your hacker email alias when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Account Registration\n- Register accounts using your `\u003cusername\u003e@wearehackerone.com` address.\n- To create additional accounts, use the `+N` format:\n  - `\u003cusername\u003e+1@wearehackerone.com`\n  - `\u003cusername\u003e+2@wearehackerone.com`\n  - etc.\n\n\u003e ⚠️ **Reports from users not utilizing their @wearehackerone.com alias will be ineligible for bounty.**  \n\u003e ❌ **Any accounts created without using the hacker email alias will be removed.**  \n\u003e 🚫 **Repeated violators of this process will be banned from this program.**\n\n#### 📌 Header Guidelines\n\nInclude custom headers in **all requests** where possible:\n\n| Identifier        | Format                                 |\n|-------------------|-----------------------------------------|\n| **Your Username** | `X-Bug-Bounty: HackerOne-\u003cusername\u003e`     |\n| **Tool Identifier** | `X-Bug-Bounty: \u003ctoolname\u003e`              |\n\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n* When testing the application, please make sure that before reporting Client Side vulnerabilities (example: changing a `false` value to `true` and a new part of the UI being displayed) you confirm that the newly exposed functionality actually works. Just being able to see the UI after changing a false -\u003e true will not be enough to be accepted, and it will be required to show that the functionality can actually be used. \n* When reporting access control related issues, the report **must** contain the exact permissions of all accounts involved, as this is required for us to triage the issue, and no reports will be triaged until this information is provided.\n\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n* When filing a report around access control issues, please include the exact permissions that each user in the attack/exploit have been granted, as these will be required in order to triage the report.\n\n# Please Note!\n** * The Manager Dashboard Users permission is ment to be able to create users of ANY permission level, even those exceeding their own. This is working as designed, and reports around this will not be accepted. **\n** * Functionality that is considered Under Development, or in 'Alpha' stages are not in scope of the program. These features are actively under development, and have not gone through internal security reviews/pentests and reports on this functionality will not be accepted until it moves into a Beta or GA release. **\n** * The Manage Company Settings permission is considered an Admin-like permission. As such, any user with this permission is explicitly expected to be able to access anything that is under the Company Settings Section of the Dashboard. (examples: Admin Settings, Billing, Company Users, Permission Settings). Any reports around the accessing of anything in this section for users that have the Manage Company Settings permission will not be accepted and will be closed. **\n\n# Out of Scope\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues resulting in email flooding will not be accepted for this program.\n\nAny attack requiring physical access to a device will not likely be accepted.\n\nAs mentioned in the latest announcement on Bugcrowd from 02/10/2025, Tags (their creation, deletion or update) is currently out of scope while we work to address a systemic issue related to them. A new announcement will be made once they come back in scope.\n\n# Known Issues\nThe following are issues known to Braze, and are the process of being fixed or considered accepted risk because of only existing in the test enviroment. Please do not report the following, as they will be rejected and not count for points or reward:\n\n* Cross Origin Request Trust - When uploading users, a users profile image\n* CSV Injection - When uploading users.\n* Several horizontal idors are currently known issues, so any reports about these have a higher duplicate likelyhood than other bug types. So please keep this in mind during your testing.\n* There is a known issue with an SSRF in the webhooks that can access the IP address 0.0.0.0 any reports for this vulnerability will be marked as duplicates. The vulnerability has been fixed in our production and staging instances, but due to a configuration issue that exists in the environment our Bug Bounty server is run in, the fix can not be implemented on the server at this time. This includes any other iteration of localhost, and in order for an SSRF to be accepted, you will be required to show the ability to bypass the protections and access another host within the internal network, for any internal host other than localhost or the default kubernetes host. Port scanning is not enough to be accepted on this program.\n* When testing for XSS attacks, please make note that only reports that have the XSS trigger on the in-scope domain will be accepted or rewarded and must have access to the dom object of the in-scope domain to be accepted. We have begun rolling out a change that moves the editors and other functionality to a seperate domain to limit/negate the impact of XSS attacks. Payloads that fire on the 2nd domain, or that can not access the context/cookies of the parent in-scope domain will not be accepted moving forward. Currently the Classic HTML editor has been migrated, and the other editors are in the process as well. The domain that contains some of  Editors contain cookies that are nearly identical to the dashboard, but without a session id.  For a stored XSS to be accepted, we have to see that it can trigger in the context of the inscope domain, this can be done by performing some kind of action on the dashboard (update a profile for example since all users can update their profile), so that it can be shown that it has access to the inscope domains dom and cookie.\n* Disclosing information about Internal Groups/Test Users will not be accepted, as these are test users and do not map back to legitimate users or data.\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-16T17:26:22.428Z"},{"id":3755790,"new_policy":"** * We have received many reports that are around 'breaking' functionality for users of the Dashboard and making it so an item/feature will not load due to improper values sent in for various parameters. Starting on May 15, 2025, any report around this will not be accepted as a valid security concern, unless the activity can be performed by a user that should not have access to the functionality. These are considered 'product bugs' and not security issues, and we are unable to accept product bugs on this program. For these issues to be accepted moving forward they will need to have impact that extends past that of preventing users of the same Org from accessing a specific feature and would have to impact all users of the dashboard (including those from other organizations), or atleast be able to perform the attack Cross-Org to impact people outside of your organization. **\n\n==\u003e **🚨 Important - activity that will get you removed from the Braze program:**==\n\u003e\n\u003e **• No automated scanners (e.g., Nuclei or similar).**  \n\u003e **• Test only in‑scope assets. Anything else is prohibited.**  \n\u003e **• Do not contact or interact with Braze Support, employees, vendors, customers, or any accounts you do not own.**  \n\u003e **• Create test accounts with your @wearehackerone.com alias only.**\n\n\n# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n*Use your hacker email alias when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n####  Account Registration\n\n- Register accounts using your `\u003cusername\u003e@wearehackerone.com` address.\n- To create additional accounts, use the `+N` format:\n  - `\u003cusername\u003e+1@wearehackerone.com`\n  - `\u003cusername\u003e+2@wearehackerone.com`\n  - etc.\n\n\u003e ⚠️ **Reports from users not utilizing their @wearehackerone.com alias will be ineligible for bounty.**  \n\u003e ❌ **Any accounts created without using the hacker email alias will be removed.**  \n\u003e 🚫 **Repeated violators of this process will be banned from this program.**\n\n#### 📌 Header Guidelines\n\nInclude custom headers in **all requests** where possible:\n\n| Identifier        | Format                                 |\n|-------------------|-----------------------------------------|\n| **Your Username** | `X-Bug-Bounty: HackerOne-\u003cusername\u003e`     |\n| **Tool Identifier** | `X-Bug-Bounty: \u003ctoolname\u003e`              |\n\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n* When testing the application, please make sure that before reporting Client Side vulnerabilities (example: changing a `false` value to `true` and a new part of the UI being displayed) you confirm that the newly exposed functionality actually works. Just being able to see the UI after changing a false -\u003e true will not be enough to be accepted, and it will be required to show that the functionality can actually be used. \n* When reporting access control related issues, the report **must** contain the exact permissions of all accounts involved, as this is required for us to triage the issue, and no reports will be triaged until this information is provided.\n\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n* When filing a report around access control issues, please include the exact permissions that each user in the attack/exploit have been granted, as these will be required in order to triage the report.\n\n# Please Note!\n** * The Manager Dashboard Users permission is ment to be able to create users of ANY permission level, even those exceeding their own. This is working as designed, and reports around this will not be accepted. **\n** * Functionality that is considered Under Development, or in 'Alpha' stages are not in scope of the program. These features are actively under development, and have not gone through internal security reviews/pentests and reports on this functionality will not be accepted until it moves into a Beta or GA release. **\n** * The Manage Company Settings permission is considered an Admin-like permission. As such, any user with this permission is explicitly expected to be able to access anything that is under the Company Settings Section of the Dashboard. (examples: Admin Settings, Billing, Company Users, Permission Settings). Any reports around the accessing of anything in this section for users that have the Manage Company Settings permission will not be accepted and will be closed. **\n\n# Out of Scope\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues resulting in email flooding will not be accepted for this program.\n\nAny attack requiring physical access to a device will not likely be accepted.\n\nAs mentioned in the latest announcement on Bugcrowd from 02/10/2025, Tags (their creation, deletion or update) is currently out of scope while we work to address a systemic issue related to them. A new announcement will be made once they come back in scope.\n\n# Known Issues\nThe following are issues known to Braze, and are the process of being fixed or considered accepted risk because of only existing in the test enviroment. Please do not report the following, as they will be rejected and not count for points or reward:\n\n* Cross Origin Request Trust - When uploading users, a users profile image\n* CSV Injection - When uploading users.\n* Several horizontal idors are currently known issues, so any reports about these have a higher duplicate likelyhood than other bug types. So please keep this in mind during your testing.\n* There is a known issue with an SSRF in the webhooks that can access the IP address 0.0.0.0 any reports for this vulnerability will be marked as duplicates. The vulnerability has been fixed in our production and staging instances, but due to a configuration issue that exists in the environment our Bug Bounty server is run in, the fix can not be implemented on the server at this time. This includes any other iteration of localhost, and in order for an SSRF to be accepted, you will be required to show the ability to bypass the protections and access another host within the internal network, for any internal host other than localhost or the default kubernetes host. Port scanning is not enough to be accepted on this program.\n* When testing for XSS attacks, please make note that only reports that have the XSS trigger on the in-scope domain will be accepted or rewarded and must have access to the dom object of the in-scope domain to be accepted. We have begun rolling out a change that moves the editors and other functionality to a seperate domain to limit/negate the impact of XSS attacks. Payloads that fire on the 2nd domain, or that can not access the context/cookies of the parent in-scope domain will not be accepted moving forward. Currently the Classic HTML editor has been migrated, and the other editors are in the process as well. The domain that contains some of  Editors contain cookies that are nearly identical to the dashboard, but without a session id.  For a stored XSS to be accepted, we have to see that it can trigger in the context of the inscope domain, this can be done by performing some kind of action on the dashboard (update a profile for example since all users can update their profile), so that it can be shown that it has access to the inscope domains dom and cookie.\n* Disclosing information about Internal Groups/Test Users will not be accepted, as these are test users and do not map back to legitimate users or data.\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-16T17:21:58.641Z"},{"id":3755789,"new_policy":"** * We have received many reports that are around 'breaking' functionality for users of the Dashboard and making it so an item/feature will not load due to improper values sent in for various parameters. Starting on May 15, 2025, any report around this will not be accepted as a valid security concern, unless the activity can be performed by a user that should not have access to the functionality. These are considered 'product bugs' and not security issues, and we are unable to accept product bugs on this program. For these issues to be accepted moving forward they will need to have impact that extends past that of preventing users of the same Org from accessing a specific feature and would have to impact all users of the dashboard (including those from other organizations), or atleast be able to perform the attack Cross-Org to impact people outside of your organization. **\n\n==\u003e **🚨 Important - activity that will get you removed from the Braze program:**==\n\u003e\n\u003e **• No automated scanners (e.g., Nuclei or similar).**  \n\u003e **• Test only in‑scope assets. Anything else is prohibited.**  \n\u003e **• Do not contact or interact with Braze Support, employees, vendors, customers, or any accounts you do not own.**  \n\u003e **• Create test accounts with your @wearehackerone.com alias only.**\n\n# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n* When testing the application, please make sure that before reporting Client Side vulnerabilities (example: changing a `false` value to `true` and a new part of the UI being displayed) you confirm that the newly exposed functionality actually works. Just being able to see the UI after changing a false -\u003e true will not be enough to be accepted, and it will be required to show that the functionality can actually be used. \n* When reporting access control related issues, the report **must** contain the exact permissions of all accounts involved, as this is required for us to triage the issue, and no reports will be triaged until this information is provided.\n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n* When filing a report around access control issues, please include the exact permissions that each user in the attack/exploit have been granted, as these will be required in order to triage the report.\n\n# Please Note!\n** * The Manager Dashboard Users permission is ment to be able to create users of ANY permission level, even those exceeding their own. This is working as designed, and reports around this will not be accepted. **\n** * Functionality that is considered Under Development, or in 'Alpha' stages are not in scope of the program. These features are actively under development, and have not gone through internal security reviews/pentests and reports on this functionality will not be accepted until it moves into a Beta or GA release. **\n** * The Manage Company Settings permission is considered an Admin-like permission. As such, any user with this permission is explicitly expected to be able to access anything that is under the Company Settings Section of the Dashboard. (examples: Admin Settings, Billing, Company Users, Permission Settings). Any reports around the accessing of anything in this section for users that have the Manage Company Settings permission will not be accepted and will be closed. **\n\n# Out of Scope\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues resulting in email flooding will not be accepted for this program.\n\nAny attack requiring physical access to a device will not likely be accepted.\n\nAs mentioned in the latest announcement on Bugcrowd from 02/10/2025, Tags (their creation, deletion or update) is currently out of scope while we work to address a systemic issue related to them. A new announcement will be made once they come back in scope.\n\n# Known Issues\nThe following are issues known to Braze, and are the process of being fixed or considered accepted risk because of only existing in the test enviroment. Please do not report the following, as they will be rejected and not count for points or reward:\n\n* Cross Origin Request Trust - When uploading users, a users profile image\n* CSV Injection - When uploading users.\n* Several horizontal idors are currently known issues, so any reports about these have a higher duplicate likelyhood than other bug types. So please keep this in mind during your testing.\n* There is a known issue with an SSRF in the webhooks that can access the IP address 0.0.0.0 any reports for this vulnerability will be marked as duplicates. The vulnerability has been fixed in our production and staging instances, but due to a configuration issue that exists in the environment our Bug Bounty server is run in, the fix can not be implemented on the server at this time. This includes any other iteration of localhost, and in order for an SSRF to be accepted, you will be required to show the ability to bypass the protections and access another host within the internal network, for any internal host other than localhost or the default kubernetes host. Port scanning is not enough to be accepted on this program.\n* When testing for XSS attacks, please make note that only reports that have the XSS trigger on the in-scope domain will be accepted or rewarded and must have access to the dom object of the in-scope domain to be accepted. We have begun rolling out a change that moves the editors and other functionality to a seperate domain to limit/negate the impact of XSS attacks. Payloads that fire on the 2nd domain, or that can not access the context/cookies of the parent in-scope domain will not be accepted moving forward. Currently the Classic HTML editor has been migrated, and the other editors are in the process as well. The domain that contains some of  Editors contain cookies that are nearly identical to the dashboard, but without a session id.  For a stored XSS to be accepted, we have to see that it can trigger in the context of the inscope domain, this can be done by performing some kind of action on the dashboard (update a profile for example since all users can update their profile), so that it can be shown that it has access to the inscope domains dom and cookie.\n* Disclosing information about Internal Groups/Test Users will not be accepted, as these are test users and do not map back to legitimate users or data.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-16T17:16:40.585Z"},{"id":3755665,"new_policy":"** * We have received many reports that are around 'breaking' functionality for users of the Dashboard and making it so an item/feature will not load due to improper values sent in for various parameters. Starting on May 15, 2025, any report around this will not be accepted as a valid security concern, unless the activity can be performed by a user that should not have access to the functionality. These are considered 'product bugs' and not security issues, and we are unable to accept product bugs on this program. For these issues to be accepted moving forward they will need to have impact that extends past that of preventing users of the same Org from accessing a specific feature and would have to impact all users of the dashboard (including those from other organizations), or atleast be able to perform the attack Cross-Org to impact people outside of your organization. **\n\n# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n* When testing the application, please make sure that before reporting Client Side vulnerabilities (example: changing a `false` value to `true` and a new part of the UI being displayed) you confirm that the newly exposed functionality actually works. Just being able to see the UI after changing a false -\u003e true will not be enough to be accepted, and it will be required to show that the functionality can actually be used. \n* When reporting access control related issues, the report **must** contain the exact permissions of all accounts involved, as this is required for us to triage the issue, and no reports will be triaged until this information is provided.\n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n* When filing a report around access control issues, please include the exact permissions that each user in the attack/exploit have been granted, as these will be required in order to triage the report.\n\n# Please Note!\n** * The Manager Dashboard Users permission is ment to be able to create users of ANY permission level, even those exceeding their own. This is working as designed, and reports around this will not be accepted. **\n** * Functionality that is considered Under Development, or in 'Alpha' stages are not in scope of the program. These features are actively under development, and have not gone through internal security reviews/pentests and reports on this functionality will not be accepted until it moves into a Beta or GA release. **\n** * The Manage Company Settings permission is considered an Admin-like permission. As such, any user with this permission is explicitly expected to be able to access anything that is under the Company Settings Section of the Dashboard. (examples: Admin Settings, Billing, Company Users, Permission Settings). Any reports around the accessing of anything in this section for users that have the Manage Company Settings permission will not be accepted and will be closed. **\n\n# Out of Scope\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues resulting in email flooding will not be accepted for this program.\n\nAny attack requiring physical access to a device will not likely be accepted.\n\nAs mentioned in the latest announcement on Bugcrowd from 02/10/2025, Tags (their creation, deletion or update) is currently out of scope while we work to address a systemic issue related to them. A new announcement will be made once they come back in scope.\n\n# Known Issues\nThe following are issues known to Braze, and are the process of being fixed or considered accepted risk because of only existing in the test enviroment. Please do not report the following, as they will be rejected and not count for points or reward:\n\n* Cross Origin Request Trust - When uploading users, a users profile image\n* CSV Injection - When uploading users.\n* Several horizontal idors are currently known issues, so any reports about these have a higher duplicate likelyhood than other bug types. So please keep this in mind during your testing.\n* There is a known issue with an SSRF in the webhooks that can access the IP address 0.0.0.0 any reports for this vulnerability will be marked as duplicates. The vulnerability has been fixed in our production and staging instances, but due to a configuration issue that exists in the environment our Bug Bounty server is run in, the fix can not be implemented on the server at this time. This includes any other iteration of localhost, and in order for an SSRF to be accepted, you will be required to show the ability to bypass the protections and access another host within the internal network, for any internal host other than localhost or the default kubernetes host. Port scanning is not enough to be accepted on this program.\n* When testing for XSS attacks, please make note that only reports that have the XSS trigger on the in-scope domain will be accepted or rewarded and must have access to the dom object of the in-scope domain to be accepted. We have begun rolling out a change that moves the editors and other functionality to a seperate domain to limit/negate the impact of XSS attacks. Payloads that fire on the 2nd domain, or that can not access the context/cookies of the parent in-scope domain will not be accepted moving forward. Currently the Classic HTML editor has been migrated, and the other editors are in the process as well. The domain that contains some of  Editors contain cookies that are nearly identical to the dashboard, but without a session id.  For a stored XSS to be accepted, we have to see that it can trigger in the context of the inscope domain, this can be done by performing some kind of action on the dashboard (update a profile for example since all users can update their profile), so that it can be shown that it has access to the inscope domains dom and cookie.\n* Disclosing information about Internal Groups/Test Users will not be accepted, as these are test users and do not map back to legitimate users or data.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-15T00:55:44.092Z"},{"id":3755422,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n* When testing the application, please make sure that before reporting Client Side vulnerabilities (example: changing a `false` value to `true` and a new part of the UI being displayed) you confirm that the newly exposed functionality actually works. Just being able to see the UI after changing a false -\u003e true will not be enough to be accepted, and it will be required to show that the functionality can actually be used. \n* When reporting access control related issues, the report **must** contain the exact permissions of all accounts involved, as this is required for us to triage the issue, and no reports will be triaged until this information is provided.\n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n* When filing a report around access control issues, please include the exact permissions that each user in the attack/exploit have been granted, as these will be required in order to triage the report.\n\n# Please Note!\n** * The Manager Dashboard Users permission is ment to be able to create users of ANY permission level, even those exceeding their own. This is working as designed, and reports around this will not be accepted. **\n** * Functionality that is considered Under Development, or in 'Alpha' stages are not in scope of the program. These features are actively under development, and have not gone through internal security reviews/pentests and reports on this functionality will not be accepted until it moves into a Beta or GA release. **\n** * The Manage Company Settings permission is considered an Admin-like permission. As such, any user with this permission is explicitly expected to be able to access anything that is under the Company Settings Section of the Dashboard. (examples: Admin Settings, Billing, Company Users, Permission Settings). Any reports around the accessing of anything in this section for users that have the Manage Company Settings permission will not be accepted and will be closed. **\n\n# Out of Scope\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues resulting in email flooding will not be accepted for this program.\n\nAny attack requiring physical access to a device will not likely be accepted.\n\nAs mentioned in the latest announcement on Bugcrowd from 02/10/2025, Tags (their creation, deletion or update) is currently out of scope while we work to address a systemic issue related to them. A new announcement will be made once they come back in scope.\n\n# Known Issues\nThe following are issues known to Braze, and are the process of being fixed or considered accepted risk because of only existing in the test enviroment. Please do not report the following, as they will be rejected and not count for points or reward:\n\n* Cross Origin Request Trust - When uploading users, a users profile image\n* CSV Injection - When uploading users.\n* Several horizontal idors are currently known issues, so any reports about these have a higher duplicate likelyhood than other bug types. So please keep this in mind during your testing.\n* There is a known issue with an SSRF in the webhooks that can access the IP address 0.0.0.0 any reports for this vulnerability will be marked as duplicates. The vulnerability has been fixed in our production and staging instances, but due to a configuration issue that exists in the environment our Bug Bounty server is run in, the fix can not be implemented on the server at this time. This includes any other iteration of localhost, and in order for an SSRF to be accepted, you will be required to show the ability to bypass the protections and access another host within the internal network, for any internal host other than localhost or the default kubernetes host. Port scanning is not enough to be accepted on this program.\n* When testing for XSS attacks, please make note that only reports that have the XSS trigger on the in-scope domain will be accepted or rewarded and must have access to the dom object of the in-scope domain to be accepted. We have begun rolling out a change that moves the editors and other functionality to a seperate domain to limit/negate the impact of XSS attacks. Payloads that fire on the 2nd domain, or that can not access the context/cookies of the parent in-scope domain will not be accepted moving forward. Currently the Classic HTML editor has been migrated, and the other editors are in the process as well. The domain that contains some of  Editors contain cookies that are nearly identical to the dashboard, but without a session id.  For a stored XSS to be accepted, we have to see that it can trigger in the context of the inscope domain, this can be done by performing some kind of action on the dashboard (update a profile for example since all users can update their profile), so that it can be shown that it has access to the inscope domains dom and cookie.\n* Disclosing information about Internal Groups/Test Users will not be accepted, as these are test users and do not map back to legitimate users or data.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-12T19:13:15.283Z"},{"id":3755393,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n* When testing the application, please make sure that before reporting Client Side vulnerabilities (example: changing a `false` value to `true` and a new part of the UI being displayed) you confirm that the newly exposed functionality actually works. Just being able to see the UI after changing a false -\u003e true will not be enough to be accepted, and it will be required to show that the functionality can actually be used. \n* When reporting access control related issues, the report **must** contain the exact permissions of all accounts involved, as this is required for us to triage the issue, and no reports will be triaged until this information is provided.\n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n* When filing a report around access control issues, please include the exact permissions that each user in the attack/exploit have been granted, as these will be required in order to triage the report.\n\n# Please Note!\n** * The Manager Dashboard Users permission is ment to be able to create users of ANY permission level, even those exceeding their own. This is working as designed, and reports around this will not be accepted. **\n** * Functionality that is considered Under Development, or in 'Alpha' stages are not in scope of the program. These features are actively under development, and have not gone through internal security reviews/pentests and reports on this functionality will not be accepted until it moves into a Beta or GA release. **\n** * The Manage Company Settings permission is considered an Admin-like permission. As such, any user with this permission is explicitly expected to be able to access anything that is under the Company Settings Section of the Dashboard. (examples: Admin Settings, Billing, Company Users, Permission Settings). Any reports around the accessing of anything in this section for users that have the Manage Company Settings permission will not be accepted and will be closed. **\n\n# Out of Scope\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues resulting in email flooding will not be accepted for this program.\n\nAny attack requiring physical access to a device will not likely be accepted.\n\nAs mentioned in the latest announcement on Bugcrowd from 02/10/2025, Tags (their creation, deletion or update) is currently out of scope while we work to address a systemic issue related to them. A new announcement will be made once they come back in scope.\n\n# Known Issues\nThe following are issues known to Braze, and are the process of being fixed or considered accepted risk because of only existing in the test enviroment. Please do not report the following, as they will be rejected and not count for points or reward:\n\n* Cross Origin Request Trust - When uploading users, a users profile image\n* CSV Injection - When uploading users.\n* Several horizontal idors are currently known issues, so any reports about these have a higher duplicate likelyhood than other bug types. So please keep this in mind during your testing.\n* There is a known issue with an SSRF in the webhooks that can access the IP address 0.0.0.0 any reports for this vulnerability will be marked as duplicates. The vulnerability has been fixed in our production and staging instances, but due to a configuration issue that exists in the environment our Bug Bounty server is run in, the fix can not be implemented on the server at this time. This includes any other iteration of localhost, and in order for an SSRF to be accepted, you will be required to show the ability to bypass the protections and access another host within the internal network, for any internal host other than localhost or the default kubernetes host. Port scanning is not enough to be accepted on this program.\n* When testing for XSS attacks, please make note that only reports that have the XSS trigger on the in-scope domain will be accepted or rewarded and must have access to the dom object of the in-scope domain to be accepted. We have begun rolling out a change that moves the editors and other functionality to a seperate domain to limit/negate the impact of XSS attacks. Payloads that fire on the 2nd domain, or that can not access the context/cookies of the parent in-scope domain will not be accepted moving forward. Currently the Classic HTML editor has been migrated, and the other editors are in the process as well.\n* Disclosing information about Internal Groups/Test Users will not be accepted, as these are test users and do not map back to legitimate users or data.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-12T15:40:43.243Z"},{"id":3755383,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n* When testing the application, please make sure that before reporting Client Side vulnerabilities (example: changing a `false` value to `true` and a new part of the UI being displayed) you confirm that the newly exposed functionality actually works. Just being able to see the UI after changing a false -\u003e true will not be enough to be accepted, and it will be required to show that the functionality can actually be used. \n* When reporting access control related issues, the report **must** contain the exact permissions of all accounts involved, as this is required for us to triage the issue, and no reports will be triaged until this information is provided.\n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Please Note!\n* The Manager Dashboard Users permission is ment to be able to create users of ANY permission level, even those exceeding their own. This is working as designed, and reports around this will not be accepted.\n* Functionality that is considered Under Development, or in 'Alpha' stages are not in scope of the program. These features are actively under development, and have not gone through internal security reviews/pentests and reports on this functionality will not be accepted until it moves into a Beta or GA release.\n\n# Out of Scope\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues resulting in email flooding will not be accepted for this program.\n\nAny attack requiring physical access to a device will not likely be accepted.\n\nAs mentioned in the latest announcement on Bugcrowd from 02/10/2025, Tags (their creation, deletion or update) is currently out of scope while we work to address a systemic issue related to them. A new announcement will be made once they come back in scope.\n\n# Known Issues\nThe following are issues known to Braze, and are the process of being fixed or considered accepted risk because of only existing in the test enviroment. Please do not report the following, as they will be rejected and not count for points or reward:\n\n* Cross Origin Request Trust - When uploading users, a users profile image\n* CSV Injection - When uploading users.\n* Several horizontal idors are currently known issues, so any reports about these have a higher duplicate likelyhood than other bug types. So please keep this in mind during your testing.\n* There is a known issue with an SSRF in the webhooks that can access the IP address 0.0.0.0 any reports for this vulnerability will be marked as duplicates. The vulnerability has been fixed in our production and staging instances, but due to a configuration issue that exists in the environment our Bug Bounty server is run in, the fix can not be implemented on the server at this time. This includes any other iteration of localhost, and in order for an SSRF to be accepted, you will be required to show the ability to bypass the protections and access another host within the internal network, for any internal host other than localhost or the default kubernetes host. Port scanning is not enough to be accepted on this program.\n* When testing for XSS attacks, please make note that only reports that have the XSS trigger on the in-scope domain will be accepted or rewarded and must have access to the dom object of the in-scope domain to be accepted. We have begun rolling out a change that moves the editors and other functionality to a seperate domain to limit/negate the impact of XSS attacks. Payloads that fire on the 2nd domain, or that can not access the context/cookies of the parent in-scope domain will not be accepted moving forward. Currently the Classic HTML editor has been migrated, and the other editors are in the process as well.\n* Disclosing information about Internal Groups/Test Users will not be accepted, as these are test users and do not map back to legitimate users or data.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-12T13:22:50.305Z"},{"id":3755118,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n* When testing the application, please make sure that before reporting Client Side vulnerabilities (example: changing a `false` value to `true` and a new part of the UI being displayed) you confirm that the newly exposed functionality actually works. Just being able to see the UI after changing a false -\u003e true will not be enough to be accepted, and it will be required to show that the functionality can actually be used. \n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Please Note!\n* The Manager Dashboard Users permission is ment to be able to create users of ANY permission level, even those exceeding their own. This is working as designed, and reports around this will not be accepted.\n* Functionality that is considered Under Development, or in 'Alpha' stages are not in scope of the program. These features are actively under development, and have not gone through internal security reviews/pentests and reports on this functionality will not be accepted until it moves into a Beta or GA release.\n\n# Out of Scope\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues resulting in email flooding will not be accepted for this program.\n\nAny attack requiring physical access to a device will not likely be accepted.\n\nAs mentioned in the latest announcement on Bugcrowd from 02/10/2025, Tags (their creation, deletion or update) is currently out of scope while we work to address a systemic issue related to them. A new announcement will be made once they come back in scope.\n\n# Known Issues\nThe following are issues known to Braze, and are the process of being fixed or considered accepted risk because of only existing in the test enviroment. Please do not report the following, as they will be rejected and not count for points or reward:\n\n* Cross Origin Request Trust - When uploading users, a users profile image\n* CSV Injection - When uploading users.\n* Several horizontal idors are currently known issues, so any reports about these have a higher duplicate likelyhood than other bug types. So please keep this in mind during your testing.\n* There is a known issue with an SSRF in the webhooks that can access the IP address 0.0.0.0 any reports for this vulnerability will be marked as duplicates. The vulnerability has been fixed in our production and staging instances, but due to a configuration issue that exists in the environment our Bug Bounty server is run in, the fix can not be implemented on the server at this time. This includes any other iteration of localhost, and in order for an SSRF to be accepted, you will be required to show the ability to bypass the protections and access another host within the internal network, for any internal host other than localhost or the default kubernetes host. Port scanning is not enough to be accepted on this program.\n* When testing for XSS attacks, please make note that only reports that have the XSS trigger on the in-scope domain will be accepted or rewarded and must have access to the dom object of the in-scope domain to be accepted. We have begun rolling out a change that moves the editors and other functionality to a seperate domain to limit/negate the impact of XSS attacks. Payloads that fire on the 2nd domain, or that can not access the context/cookies of the parent in-scope domain will not be accepted moving forward. Currently the Classic HTML editor has been migrated, and the other editors are in the process as well.\n* Disclosing information about Internal Groups/Test Users will not be accepted, as these are test users and do not map back to legitimate users or data.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-08T17:01:07.392Z"},{"id":3755112,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n* When testing the application, please make sure that before reporting Client Side vulnerabilities (example: changing a `false` value to `true` and a new part of the UI being displayed) you confirm that the newly exposed functionality actually works. Just being able to see the UI after changing a false -\u003e true will not be enough to be accepted, and it will be required to show that the functionality can actually be used. \n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Please Note!\nThe Manager Dashboard Users permission is ment to be able to create users of ANY permission level, even those exceeding their own. This is working as designed, and reports around this will not be accepted.\n\n# Out of Scope\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues resulting in email flooding will not be accepted for this program.\n\nAny attack requiring physical access to a device will not likely be accepted.\n\nAs mentioned in the latest announcement on Bugcrowd from 02/10/2025, Tags (their creation, deletion or update) is currently out of scope while we work to address a systemic issue related to them. A new announcement will be made once they come back in scope.\n\n# Known Issues\nThe following are issues known to Braze, and are the process of being fixed or considered accepted risk because of only existing in the test enviroment. Please do not report the following, as they will be rejected and not count for points or reward:\n\n* Cross Origin Request Trust - When uploading users, a users profile image\n* CSV Injection - When uploading users.\n* Several horizontal idors are currently known issues, so any reports about these have a higher duplicate likelyhood than other bug types. So please keep this in mind during your testing.\n* There is a known issue with an SSRF in the webhooks that can access the IP address 0.0.0.0 any reports for this vulnerability will be marked as duplicates. The vulnerability has been fixed in our production and staging instances, but due to a configuration issue that exists in the environment our Bug Bounty server is run in, the fix can not be implemented on the server at this time. This includes any other iteration of localhost, and in order for an SSRF to be accepted, you will be required to show the ability to bypass the protections and access another host within the internal network, for any internal host other than localhost or the default kubernetes host. Port scanning is not enough to be accepted on this program.\n* When testing for XSS attacks, please make note that only reports that have the XSS trigger on the in-scope domain will be accepted or rewarded and must have access to the dom object of the in-scope domain to be accepted. We have begun rolling out a change that moves the editors and other functionality to a seperate domain to limit/negate the impact of XSS attacks. Payloads that fire on the 2nd domain, or that can not access the context/cookies of the parent in-scope domain will not be accepted moving forward. Currently the Classic HTML editor has been migrated, and the other editors are in the process as well.\n* Disclosing information about Internal Groups/Test Users will not be accepted, as these are test users and do not map back to legitimate users or data.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-08T14:06:24.878Z"},{"id":3755111,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Please Note!\nThe Manager Dashboard Users permission is ment to be able to create users of ANY permission level, even those exceeding their own. This is working as designed, and reports around this will not be accepted.\n\n# Out of Scope\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues resulting in email flooding will not be accepted for this program.\n\nAny attack requiring physical access to a device will not likely be accepted.\n\nAs mentioned in the latest announcement on Bugcrowd from 02/10/2025, Tags (their creation, deletion or update) is currently out of scope while we work to address a systemic issue related to them. A new announcement will be made once they come back in scope.\n\n# Known Issues\nThe following are issues known to Braze, and are the process of being fixed or considered accepted risk because of only existing in the test enviroment. Please do not report the following, as they will be rejected and not count for points or reward:\n\n* Cross Origin Request Trust - When uploading users, a users profile image\n* CSV Injection - When uploading users.\n* Several horizontal idors are currently known issues, so any reports about these have a higher duplicate likelyhood than other bug types. So please keep this in mind during your testing.\n* There is a known issue with an SSRF in the webhooks that can access the IP address 0.0.0.0 any reports for this vulnerability will be marked as duplicates. The vulnerability has been fixed in our production and staging instances, but due to a configuration issue that exists in the environment our Bug Bounty server is run in, the fix can not be implemented on the server at this time. This includes any other iteration of localhost, and in order for an SSRF to be accepted, you will be required to show the ability to bypass the protections and access another host within the internal network, for any internal host other than localhost or the default kubernetes host. Port scanning is not enough to be accepted on this program.\n* When testing for XSS attacks, please make note that only reports that have the XSS trigger on the in-scope domain will be accepted or rewarded and must have access to the dom object of the in-scope domain to be accepted. We have begun rolling out a change that moves the editors and other functionality to a seperate domain to limit/negate the impact of XSS attacks. Payloads that fire on the 2nd domain, or that can not access the context/cookies of the parent in-scope domain will not be accepted moving forward. Currently the Classic HTML editor has been migrated, and the other editors are in the process as well.\n* Disclosing information about Internal Groups/Test Users will not be accepted, as these are test users and do not map back to legitimate users or data.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-08T14:01:34.174Z"},{"id":3755061,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Please Note!\nThe Manager Dashboard Users permission is ment to be able to create users of ANY permission level, even those exceeding their own. This is working as designed, and reports around this will not be accepted.\n\n# Out of Scope\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues resulting in email flooding will not be accepted for this program.\n\nAny attack requiring physical access to a device will not likely be accepted.\n\n# Known Issues\nThe following are issues known to Braze, and are the process of being fixed or considered accepted risk because of only existing in the test enviroment. Please do not report the following, as they will be rejected and not count for points or reward:\n\n* Cross Origin Request Trust - When uploading users, a users profile image\n* CSV Injection - When uploading users.\n* Several horizontal idors are currently known issues, so any reports about these have a higher duplicate likelyhood than other bug types. So please keep this in mind during your testing.\n* There is a known issue with an SSRF in the webhooks that can access the IP address 0.0.0.0 any reports for this vulnerability will be marked as duplicates. The vulnerability has been fixed in our production and staging instances, but due to a configuration issue that exists in the environment our Bug Bounty server is run in, the fix can not be implemented on the server at this time. This includes any other iteration of localhost, and in order for an SSRF to be accepted, you will be required to show the ability to bypass the protections and access another host within the internal network, for any internal host other than localhost or the default kubernetes host. Port scanning is not enough to be accepted on this program.\n* When testing for XSS attacks, please make note that only reports that have the XSS trigger on the in-scope domain will be accepted or rewarded and must have access to the dom object of the in-scope domain to be accepted. We have begun rolling out a change that moves the editors and other functionality to a seperate domain to limit/negate the impact of XSS attacks. Payloads that fire on the 2nd domain, or that can not access the context/cookies of the parent in-scope domain will not be accepted moving forward. Currently the Classic HTML editor has been migrated, and the other editors are in the process as well.\n* Disclosing information about Internal Groups/Test Users will not be accepted, as these are test users and do not map back to legitimate users or data.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-08T06:58:03.683Z"},{"id":3755057,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Out of Scope\nOut of Scope:\n\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues resulting in email flooding will not be accepted for this program.\n\nAny attack requiring physical access to a device will not likely be accepted.\n\n# Known Issues\nThe following are issues known to Braze, and are the process of being fixed or considered accepted risk because of only existing in the test enviroment. Please do not report the following, as they will be rejected and not count for points or reward:\n\n* Cross Origin Request Trust - When uploading users, a users profile image\n* CSV Injection - When uploading users.\n* Several horizontal idors are currently known issues, so any reports about these have a higher duplicate likelyhood than other bug types. So please keep this in mind during your testing.\n* There is a known issue with an SSRF in the webhooks that can access the IP address 0.0.0.0 any reports for this vulnerability will be marked as duplicates. The vulnerability has been fixed in our production and staging instances, but due to a configuration issue that exists in the environment our Bug Bounty server is run in, the fix can not be implemented on the server at this time. This includes any other iteration of localhost, and in order for an SSRF to be accepted, you will be required to show the ability to bypass the protections and access another host within the internal network, for any internal host other than localhost or the default kubernetes host. Port scanning is not enough to be accepted on this program.\n* When testing for XSS attacks, please make note that only reports that have the XSS trigger on the in-scope domain will be accepted or rewarded and must have access to the dom object of the in-scope domain to be accepted. We have begun rolling out a change that moves the editors and other functionality to a seperate domain to limit/negate the impact of XSS attacks. Payloads that fire on the 2nd domain, or that can not access the context/cookies of the parent in-scope domain will not be accepted moving forward. Currently the Classic HTML editor has been migrated, and the other editors are in the process as well.\n* Disclosing information about Internal Groups/Test Users will not be accepted, as these are test users and do not map back to legitimate users or data.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-08T03:21:16.109Z"},{"id":3755056,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Out of Scope\nOut of Scope:\n\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues resulting in email flooding will not be accepted for this program.\n\nAny attack requiring physical access to a device will not likely be accepted.\n\n# Known Issues\nThe following are issues known to Braze, and are the process of being fixed or considered accepted risk because of only existing in the test enviroment. Please do not report the following, as they will be rejected and not count for points or reward:\n\n* Cross Origin Request Trust - When uploading users, a users profile image\n* CSV Injection - When uploading users.\n* Several horizontal idors are currently known issues, so any reports about these have a higher duplicate likelyhood than other bug types. So please keep this in mind during your testing.\n* There is a known issue with an SSRF in the webhooks that can access the IP address 0.0.0.0 any reports for this vulnerability will be marked as duplicates. The vulnerability has been fixed in our production and staging instances, but due to a configuration issue that exists in the environment our Bug Bounty server is run in, the fix can not be implemented on the server at this time. This includes any other iteration of localhost, and in order for an SSRF to be accepted, you will be required to show the ability to bypass the protections and access another host within the internal network, for any internal host other than localhost or the default kubernetes host. Port scanning is not enough to be accepted on this program.\n* When testing for XSS attacks, please make note that only reports that have the XSS trigger on the in-scope domain will be accepted or rewarded and must have access to the dom object of the in-scope domain to be accepted. We have begun rolling out a change that moves the editors and other functionality to a seperate domain to limit/negate the impact of XSS attacks. Payloads that fire on the 2nd domain, or that can not access the context/cookies of the parent in-scope domain will not be accepted moving forward. Currently the Classic HTML editor has been migrated, and the other editors are in the process as well.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-08T03:07:26.579Z"},{"id":3755055,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Out of Scope\nOut of Scope:\n\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues resulting in email flooding will not be accepted for this program.\n\nAny attack requiring physical access to a device will not likely be accepted.\n\n# Known Issues\nThe following are issues known to Braze, and are the process of being fixed or considered accepted risk because of only existing in the test enviroment. Please do not report the following, as they will be rejected and not count for points or reward:\n\n* Cross Origin Request Trust - When uploading users, a users profile image\n* CSV Injection - When uploading users.\n* Several horizontal idors are currently known issues, so any reports about these have a higher duplicate likelyhood than other bug types. So please keep this in mind during your testing.\n* There is a known issue with an SSRF in the webhooks that can access the IP address 0.0.0.0 any reports for this vulnerability will be marked as duplicates. The vulnerability has been fixed in our production and staging instances, but due to a configuration issue that exists in the environment our Bug Bounty server is run in, the fix can not be implemented on the server at this time. This includes any other iteration of localhost, and in order for an SSRF on the webhook functionality to be accepted, you will be required to show the ability to bypass the protections and access another host within the internal network, for any internal host other than localhost.\n* When testing for XSS attacks, please make note that only reports that have the XSS trigger on the in-scope domain will be accepted or rewarded and must have access to the dom object of the in-scope domain to be accepted. We have begun rolling out a change that moves the editors and other functionality to a seperate domain to limit/negate the impact of XSS attacks. Payloads that fire on the 2nd domain, or that can not access the context/cookies of the parent in-scope domain will not be accepted moving forward. Currently the Classic HTML editor has been migrated, and the other editors are in the process as well.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-08T03:06:19.902Z"},{"id":3755052,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Out of Scope\nOut of Scope:\n\nExposing the information of Dashboard users from within the same organization is a known issue, and will not be accepted unless the issue can be exploited by a user that does not belong to the org.\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues resulting in email flooding will not be accepted for this program.\n\nAny attack requiring physical access to a device will not likely be accepted.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-07T23:19:56.590Z"},{"id":3755051,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Out of Scope\nOut of Scope:\n\nDMARC/SPF is Out of Scope\n\nAnything on *.braze.com / *.braze.eu / *.appboy.com subdomain is out of scope for this program unless it has explicitly been added to the scope. Please do not test against assets that are not listed as in scope. If you have a question about the scope, please reach out to security@braze.com and we will answer questions as needed.\n\nDo not attempt to interact with any Braze Employee, Vendor, or Customers. This includes any sort of social engineering or contacting any sales/support staff.\n\nDo not attempt any DoS/DDoS attacks/stress testing of any kind.\n\nDo not perform any sort of discovery, which includes but not limited to: Port Scanning, Subdomain Discovery, Google Dorking (unless it includes the in scope domain only), Cache Searching, Nuclei Scanning\n\nAny rate limiting issues resulting in email flooding will not be accepted for this program.\n\nAny attack requiring physical access to a device will not likely be accepted.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-07T23:17:51.083Z"},{"id":3755046,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains and have access to the DOM Object in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) or cannot access the Document Object/Cookie will not be accepted without proof they can access the document object of the inscope asset. \n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-07T21:13:19.358Z"},{"id":3755044,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n* Stored XSS reports must trigger from the in-scope domains in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) will not be accepted without proof they can access the document object of the inscope asset. \n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-07T20:12:35.818Z"},{"id":3755043,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n* Stored XSS reports must trigger from the in-scope domains in order to be accepted. Any XSS that triggers on any 3rd party domain (s3, BeeFree etc) or the Braze sandbox domain (br-rndr.com) will not be accepted without proof they can access the document object of the inscope asset. \n\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-07T20:09:04.532Z"},{"id":3755040,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out via email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-07T19:08:34.758Z"},{"id":3755039,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n\n*** Do not run nuclei or similar tools, as any testing performed on out of scope assets will result in a warning or ban from the program.\n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out vai email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-07T19:06:14.151Z"},{"id":3755038,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program. If you experience problems with this link, please reach out vai email to thomas.devoss@braze.com\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Braze is looking forward to working with the researcher community to help keep our users and their data safe.\n","platform_standards_exclusions":["{\"platform_standard\":\"PAYING_FOR_NEW_ZERO_DAYS\",\"justification\":\"Bounties are not awarded for 0days in code that is not owned by, or modified by Braze until 30 after a patch is released.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-07T18:53:29.338Z"},{"id":3755035,"new_policy":"# Disclosure Policy\n* Braze does not allow the disclosure of vulnerabilities submitted through this program.\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Testing against any item outside of the explicitly approved scope is prohibited. Out of scope testing will not receive a bounty under any circumstances, regardless of the severity.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not submit any forms that will be submitted to Braze Support or other teams/employees.\n* Please read the docs around the Dashboard User Permissions listed below. \n\n# Test Plan\n* Users are able to sign up and provision two organization accounts using the link: https://bug-bounty.k8s.tools-001.d-use-1.braze.com/ . You are welcome to create as many organizations as you would like, but the sign up form is explicitly OUT OF SCOPE for the program.\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com). Any accounts created without using the hacker email alias will be removed, and repeated violators of this process will be banned from the programs.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\n# Documentation:\n* User Documentation - https://www.braze.com/docs/\n* Role Management Documentation - https://www.braze.com/docs/user_guide/administrative/manage_your_braze_users/\n* API: https://bug-bounty-api.k8s.tools-001.d-use-1.braze-dev.com/ Braze provides a high-performance REST API to allow you to track users, send messages, export data, and more.\n* API Documentation - https://www.braze.com/docs/api/basics/\n\nThank you for helping keep Braze and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-07T18:43:04.650Z"}]