When will Bubble be GDPR and PCI compliant?

We routinely get our application sites penetration tested by Immuniweb. Our last test March 27 2023 resulted in 11 vulnerabilities that prevented us from being both GDPR and PCI compliant. We have now been told that these vulnerabilities are core to the Bubble platform with medium priority with support and no estimated date for resolution.

Support’s response to this is that compliance or non-compliance is our choice (the Bubble customer). Yet, though I choose to want to be compliant, I cannot be because the core platform is not.

As it stands today, for anyone looking into this, you cannot pass a be GDPR or PCI compliant PenTest until these 11 vulnerabilities are fixed. Now Bubble will tell you, as I’ve been told, the existence of these vulnerabilities does NOT necessarily mean that your application is unsafe. The issue however, is that if you need to provide a vulnerability test to your clients in order to make sale (as we do) you run the gauntlet of receiving a PenTest that is going to instantly make your solution look unsafe by failing quite a number of tests.

As the application platform, I believe it is imperative that Bubble make available its current compliance status for critical frameworks such as GDPR so that we, the customer, knows what our sites will and won’t pass. I would never had submitted for a PenTest if I’d known we would fail so spectacularly.

Ultimate compliance is up to the individual application creator, but the platform MUST have the ability to become compliant, otherwise no application can be.

Is anyone else struggling with this? What date does Bubble believe it can get its platform updated so that its 11 critical vulnerabilities are resolved?


Can you provide context as to what the 11 bubble caused vulnerabilities are that make your app non compliant?


Hi Chris, Bubble Support have the 11 specific issues and I’d rather not publicly be spreading them but they all pertain to out of date or vulnerable libraries. As mentioned, just because they are out of date doesn’t necessarily mean they are exposed in a way that can be exploited, but the list of them certainly means I can’t claim compliance to my customers, which unfortunately, is quite damaging.

1 Like