Vulnerability Disclosure Program

JumpCloud is committed to protecting the privacy and security of our customers. Despite our efforts to keep our platform secure, we realize we may have missed something. We encourage individual security researchers to analyze our platform to make it safer for our customers. If you think you have found a security vulnerability in our platform, please contact us! We’ll investigate the issue and try to resolve it quickly. Before you report an issue, review this page.

Responsible Disclosure Policy

To protect both JumpCloud and security researchers, we ask you to comply with the following policies:

Guidelines & Rules

Participating in JumpCloud’s VDP requires that you follow our guidelines. Adhere to the following guidelines to be eligible for rewards as part of this program:

Vulnerability Disclosure Program Scope

The following services and domains are considered in scope:

IN-SCOPE VULNERABILITIES

Generally speaking, any bug that poses a significant vulnerability could be eligible for reward. It’s entirely at JumpCloud’s discretion to decide whether a bug is significant enough to be eligible for reward. Security issues that typically would be eligible include:

OUT OF SCOPE VULNERABILITIES

Things that aren’t eligible for reward include:

Reporting

To report an issue:

  1. Send an email to vulnerability@jumpcloud.com using the PGP from our Keybase account.
  2. Include information about the vulnerability and detailed steps on how to replicate it. The report must pertain to an item explicitly listed under our in-scope vulnerabilities section. The report should also contain as much detailed information as you can include—ideally, a description of your findings, the steps needed to reproduce the issue, and the vulnerable component.

We will do our best to respond to reports in seven business days.

Rewards

Currently we can only offer non-cash rewards, including:

Only the first report we receive about a given vulnerability will be rewarded. We can’t send rewards where prohibited by law.

Questions

If you have any questions about our VDP, contact vulnerability@jumpcloud.com.