This document outlines security procedures and general policies for the GrowthBook Open Source projects as found on https://github.com/growthbook.
The GrowthBook team take all reports of security vulnerabilities seriously. Report security vulnerabilities by emailing the GrowthBook security team at:
security@growthbook.io
We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions (if desired).
IMPORTANT: Do not file public issues on GitHub for security vulnerabilities
Security is of the highest importance and all security vulnerabilities or suspected security vulnerabilities should be reported to GrowthBook privately, to minimize attacks against current users of GrowthBook before they are fixed. Vulnerabilities will be investigated and patched as soon as possible.
The GrowthBook team will respond to vulnerability reports as follows:
- The security team will investigate the vulnerability and determine its effects, criticality and scope.
- If the issue is found to be valid, the code will be patched and released as quickly as possible.
- We will attempt to identify and notify the effected users directly as soon as possible, as well as following steps mentioned in our Disclosure Process. A public disclosure date may be negotiated by the GrowthBook Security Team, and the bug submitter if required.
The security team publishes a public security advisory via GitHub. Depending on the scope of the issue, additional details may be communicated via Slack, Email, Twitter, blog and/or other channels to assist in educating GrowthBook users in rolling out a patched version.