Eventbrite Bug Bounty Program

• Rules of Engagement

• Breach of Rules of Engagement

• Legal Indemnification / Safe Harbor

• Recognition / Award

• Changes to Program Terms

• Submission Procedure

• Our Commitments

• Program Scope

• Out of Scope Issues

• Ineligible Vulnerability Classes

• Android Apps - Out of Scope issues

• iOS Apps - Out of Scope issues

• Cookies - Out of Scope for Authentication

Rules of Engagement

As a responsible security researcher, you will be considered eligible for this program provided that:

• You test only against accounts that you create. Should you need to test if an attack works, feel free to create  two test user accounts and use one to attack the other.

• You follow the submission procedure.

• You are not an individual on the OFAC Sanctions List and not an individual in countries on the sanctions list.

• You have not exploited or used in any manner, and will not exploit or use in any manner (other than for the purposes of reporting to Eventbrite), the discovered vulnerabilities.

• You have not engaged, and will not engage, in testing/research of systems with the intention of harming Eventbrite, its customers, employees, partners or suppliers.

• You have not used, misused, deleted, altered or destroyed, and will not use, misuse, delete, alter or destroy, any data that you have accessed or may be able to access in relation to the vulnerability and/or error discovered;

• You have not conducted, and will not conduct, social engineering, spamming, phishing, denial-of-service or resource-exhaustion attacks.

• You have not tested, and will not test, the physical security of any property, facility, venue or office associated with Eventbrite.

• Your research and testing will not degrade our production services and platforms.

Breach of Rules of Engagement

We expect all participants to adhere to the program’s terms, conditions, and responsible disclosure guidelines outlined above. Any violation may result in immediate disqualification from the bug bounty program, and in cases of serious breaches, could lead to account suspension and/or legal action.

Legal Indemnification / Safe Harbor

Eventbrite considers activities conducted within these program guidelines to constitute authorized security research. We will not pursue or support any legal action against individuals who discover and report vulnerabilities to us in good faith and in accordance with these rules.

In the event of any third-party legal action related to your research, we will make it known that your actions were conducted pursuant to this program with our approval. This safe harbor applies to good-faith security research conducted under this program.

Recognition / Award

The Eventbrite Security Wall of Fame  exists to thank researchers who improve the safety of the product and customer data. We update the wall once a month and honor people upon their first accepted submission. We don’t offer cash bounties or physical gifts at this time; inclusion on the wall is based on the severity and validity of the submission and is at Eventbrite’s discretion.

Changes to Program Terms

Eventbrite reserves the right to modify these program terms or to cancel the Bug Bounty Program at any time. Significant changes may be posted on this page. We also reserve the right to determine that a given submission is invalid or ineligible under the program (for example, if it falls outside the rules or is not a genuine vulnerability).

Submission Procedure

The reporter must read and follow the rules of engagement before starting their work on discovering security issues on our platform. Every submission must include a clear description of the issue along with steps to reproduce the issue and proof of its exploitability. If fully demonstrating the exploit would risk breaching these rules or affecting users, please refrain from doing so. Describe in your report what you could do next, and we will let you know if we need you to proceed with a proof-of-concept. 

Including relevant screenshots or snippets of logs can speed up our understanding of your report.

We will communicate explicitly to give a go-ahead for Proof of Exploit (PoE).

All submissions must be emailed to security@eventbrite.com and have a title prefix "[Eventbrite Bug Bounty Program] - [ your findings ]".

Our Commitments

• Acknowledgement: We will confirm receipt within 72 hours.

• Validation: We will review and provide a status update within 7 business days.

• Transparency: We will communicate progress and inform you when remediation is complete.

• Remediation: We commit to addressing valid issues in a timely manner, prioritizing by severity.

Program Scope

The scope of this program is limited to:

• *.eventbrite.com 

• www.eventbriteapi.com 

• Eventbrite Consumer app - Android & iOS

• Eventbrite Organizer app - Android & iOS

Out of Scope Issues

The following list of vulnerabilities has already been reviewed by our team, and deemed out of scope for the purposes of this program. 

Please do not report any of the following classes of issues. Unless there are exceptional circumstances or novel attacks, these issues will be closed as Not Applicable.

• Missing or misconfigured X-Frame-Options headers.

• Javascript / XSS which fires when interacting with the Rich Text Editor.

• HTML Injection -- In most cases, it is expected product behavior to allow a subset of HTML to be displayed.

• Missing HttpOnly cookie attribute on non-sensitive cookies

• Missing Secure cookie attribute on non-sensitive cookies

• Logout CSRF

• CSRF in forms that are available to anonymous users.

• Password reset page sends multiple emails if requested multiple times.

• Username/email Enumeration

• Issues with SPF, DKIM, or DMARC records on eventbrite.com

• Vulnerabilities found by an automated scanner. Please take the time to manually verify your findings before reporting them.

Ineligible Vulnerability Classes

Eventbrite does not consider the following to be eligible vulnerabilities under this program:

• Network or Application-level Denial of Service (DoS), Distributed DDoS

• Web application scraping

• Issues stemming from outdated browsers or plugins.

• Social Engineering exploits against customers or Eventbrite administrators.

• Issues in third-party services integrated with Eventbrite, as they are not managed by Eventbrite.

• Issues pertaining to physical security or that require physical access to Eventbrite’s systems.

• Self-Inflicted XSS or any XSS attack that requires MITM presence to alter HTTP headers

• Brute Forcing Passwords and Password Reset Token Guessing

• Mass Account Registration

• Missing Strict-Transport-Security Headers

• Use of http:// (unless there’s a established significant impact on absence of SSL)

• Mobile application issues that depend on being rooted/jailbroken.

• Descriptive error messages (e.g. Stack Traces, application or server errors).

• HTTP codes/pages or other HTTP non-codes/pages.

• Disclosure of known public files or directories, (e.g. robots.txt).

• Clickjacking and issues only exploitable through clickjacking.

• Presence of application or web browser 'autocomplete' or 'save password' functionality.

• HTTPS Mixed Content Scripts.

• Publicly accessible login panels.

• Weak Captcha / Captcha Bypass (unless an established significant exploit exists)

• Stack traces that disclose information (unless an established significant exploit exists)

• Non-conformance to Security best practices .

• Internal IP disclosure

• Issues reported in microsites with minimal or no user data

• Sensitive data in URLs/request bodies when protected by SSL/TLS

• Fingerprinting issues (e.g. open ports without an accompanying proof-of-concept demonstrating vulnerability, banner grabbing).

• SSL Issues, e.g.:

  • SSL/TLS scan reports (output from sites such as SSL Labs).

  • SSL Attacks such as BEAST, BREACH, Renegotiation attack.

  • SSL Forward secrecy not enabled.

  • SSL weak / insecure cipher suites.

Android Apps - Out of Scope issues

• Absence of SSL certificate pinning.

• Storage of sensitive data in the app’s private directory.

• User data stored unencrypted on external storage.

• Lack of binary protection mechanisms in the Android application.

• Shared links exposed via the system clipboard.

• URIs exposed due to malicious apps with permissions to view opened URIs.

• Sensitive data appearing in URLs or request bodies when protected by TLS.

• Lack of application code obfuscation.

• OAuth “app secret” hardcoded or recoverable within the APK.

• Application crashes caused by malformed Intents sent to exported components (e.g., Activity, Service, BroadcastReceiver). Note: Only cases where such crashes lead to sensitive data leakage may be considered in scope.

iOS Apps - Out of Scope issues

• Missing certificate pinning.

• Absence of exploit mitigations (e.g., PIE, ARC, Stack Canaries).

• Binary path disclosure.

• User data is stored unencrypted on the file system.

• Missing binary protection mechanisms (e.g., anti-debugging).

• Lack of code obfuscation.

• Missing jailbreak detection.

• Runtime exploits that only function in a jailbroken environment.

• OAuth “app secret” hardcoded or recoverable from the APK.

• Data exposure through snapshots or pasteboard.

• Application crashes caused by malformed URL schemes.

Cookies - Out of Scope for Authentication

The cookies listed below are not used for authentication. As such, their disclosure or leakage is not considered a security vulnerability by the Eventbrite Security team. Additionally, if these cookies are not configured with the HttpOnly or Secure flags, this will not be treated as an eligible issue under our bug bounty program.

• AN

• G

• SERVERID

• SP

• SS

• csrftoken

• eblang

• mgemail

• mglts

• mgref

• mgrefby

• __ut*

• gpv_p8

• km_*

• kvcd

• mp_*

• s_cc

• s_sq

• sid

If you find insecure handling of other Eventbrite cookies, those could be a security issue and we encourage those reports.