Responsible Disclosure of Security Vulnerabilities
We’re working with the security community to make our products safer for everyone! Security researchers play a vital role in safeguarding digital information. All vulnerability reports must adhere to our Bug Bounty Terms and Conditions. The decisions made by JetApps, LLC regarding rewards are final and binding. JetApps, LLC may change or cancel this program at any time, for any reason.
Reporting security issues
If you’ve discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.
If you believe you have discovered a vulnerability or have a security incident to report, please submit your report through our Support Portal.
You must include a detailed summary of the issue you discovered. Be sure to include an email address where we can reach you in case we need more information. Your report must include:
* The attack vector used to exploit the vulnerability
* Detailed, step-by-step instructions on exploiting the vulnerability
* Proof that you were able to successfully exploit the vulnerability
* The potential security impact of failure to mitigate the vulnerability
Code of Conduct
Please act in good faith towards our users’ privacy and data during your disclosure. When testing for vulnerabilities, please do not insert test code into popular public guides or threads.
These guides are used by thousands of people daily, and disrupting their experience by testing for vulnerabilities is harmful.
We won’t take legal or administrative action against you or your account if you act accordingly: White hat researchers are always appreciated.
Bug Bounty
We’re happy to provide a reward to users who report valid security vulnerabilities. To be eligible for credit and a reward, you must:
* Be the first person to responsibly disclose the bug.
* Report a bug that could compromise our users’ private data, circumvent the system’s protections, or enable access to a system within our infrastructure.
* Comply with all terms and requirements as stated in our Bug Bounty Program
Low Tier Bounties ($25 reward)
* SQL Injection
* Exposed Administrative Panels that don’t require login credentials
* Directory Traversal Issues
* Local File Disclosure (LFD)
High Tier Bounties ($100 reward)
* In general any vulnerability which exposes extremely sensitive data or results in root access to the server
* Server-side Remote Code Execution (RCE)
* User data compromise
* Privilege escalation
Things We Are NOT Looking For
* Best practices concerns (we require concrete evidence of a security vulnerability)
* CSRF with no security implications (like Login/logout/unauthenticated CSRF)
* Hyperlink injection on emails
* Lack of rate limiting (email verification, password reset, etc)
* Opening a new account without email verification (opening tickets, enabling 2fa, general account usage)
* Sessions not being invalidated when a best practice says so
* Tabnabbing
* WordPress vulnerabilities/XMLRPC brute force attacks
* CSV/Excel command injection issues
* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
* Race conditions that don’t compromise the security of JetApps or our customers
* Reports about theoretical damage without a real risk
* The output of automated scanners without explanation
* window.opener Related Issues
* Missing cookie flags on non-security sensitive cookies
* Attacks requiring physical access to a user’s device or pre-existing user device compromise
* Missing security headers not related to a security vulnerability
* Reports of insecure SSL/TLS ciphers unless you have a working proof of concept
* Banner grabbing issues to figure out the stack we use or software version disclosure
* Open ports without a vulnerability
* Password and account recovery policies, such as reset link expiration or password complexity
* Invalid or missing SPF (Sender Policy Framework) records
* Disclosure of known public files or directories, (e.g. robots.txt)
* Reports of spam
* User enumeration
* DNS misconfiguration
* Presence of autocomplete attribute on web forms
* DNSSEC settings
* HSTS or CSP headers
* Host header injection unless you can show how a third-party can exploit it.
* Vulnerabilities that require a rooted, jailbroken or software emulated device
* Outdated versions of WordPress with no known vulnerabilities
* Self-XSS
* Missing DNS SPF records
Our security team will assess each bug to determine if it qualifies. We do our best to respond to your reports in a timely manner. We aim to respond within 3 business days, however some reports take longer than others to investigate.
We reply only during business hours (9AM-5PM PST, weekdays, excluding holidays). Repeated emails will NOT result in a quicker response, and may bump your report to the end of the queue. Reports that fail to comply with the terms of the Bug Bounty program (such as breaking a rule or reporting on a vulnerability we explicitly are not looking for) will result in your report being denied outright. Multiple reports that fail to comply may result in a ban on all future submissions from the author.
General Rules
* Avoid security scanners or tools which may cause DoS, DDoS or scraping-like behavior.
* Do not use automatic tools against contact or support forms
* Do not comment on the blog while testing
* NEVER try to gain access to a real user’s account or data.
* You must not leak, manipulate, or destroy any user data.
* Do not impact users with your testing
* Do not perform denial of service attacks, mail bombing, spam, scraping, brute force, or automated attacks with programs like Burp Intruder.
* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
* Any vulnerability found must be reported no later than 48 hours after discovery.