Responsible Disclosure Policy
To protect both JumpCloud and security researchers, we ask you to comply with the following policies:
- Give us reasonable time to investigate and mitigate an issue you report before you publicize any information about the report or share such information with others.
- Make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data, and interruption or degradation of our services.
- Don’t exploit a security issue you discover for any reason. This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.
- Don’t intentionally violate any other applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorized access to data.
- For the purposes of this policy, you aren’t authorized to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person.
Guidelines & Rules
Participating in JumpCloud’s VDP requires that you follow our guidelines. Adhere to the following guidelines to be eligible for rewards as part of this program:
- Don’t violate the privacy of other users, destroy data, disrupt our services, etc.
- Don’t request updates on an hourly basis. We’re handling many reports and spam impacts JumpCloud’s efficiency.
- Only target your accounts as you investigate issues. Don’t target, attempt to access, or otherwise disrupt the accounts of other users.
- Don’t target our physical security measures, or attempt to use social engineering, spam, or distributed denial of service (DDOS) attacks.
- If you find a severe vulnerability that allows system access, you must not proceed further.
- It’s JumpCloud’s decision to determine when and how bugs should be addressed and fixed.
- Disclosing bugs to a party other than JumpCloud is forbidden, all bug reports are to remain at the reporter and JumpCloud’s discretion.
- Threatening behavior of any kind will automatically disqualify you from participating in the program.
- Exploiting or mis-using the vulnerability for own or others benefit will automatically disqualify the report.
- Bug disclosure communications with JumpCloud’s Security team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.
Vulnerability Disclosure Program Scope
The following services and domains are considered in scope:
- JumpCloud user and admin consoles (
- JumpCloud API
- JumpCloud agent (
Generally speaking, any bug that poses a significant vulnerability could be eligible for reward. It’s entirely at JumpCloud’s discretion to decide whether a bug is significant enough to be eligible for reward. Security issues that typically would be eligible include:
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Code Executions
- SQL injections
- Server Side Request Forgery (SSRF)
- Privilege Escalations
- Authentication Bypasses
- File inclusions (Local & Remote)
- Protection Mechanism bypasses (CSRF bypass, etc.)
- Leakage of sensitive data
- Directory Traversal
- Administration portals without authentication mechanism
- Open redirects which allow stealing tokens/secrets
OUT OF SCOPE VULNERABILITIES
Things that aren’t eligible for reward include:
- Lack of rate limiting mechanisms
- Open redirects without a severe impact
- Application stack traces (path disclosures, etc.)
- Self-type Cross Site Scripting / Self-XSS
- Vulnerabilities that require Man in the Middle (MiTM) attacks
- Denial of Service attacks
- CSRF issues on actions with minimal impact
- Cache Poisoning
- Missing SPF records
- HSTS not enabled on
- Brute force attacks
- Security practices (banner revealing a software version, missing security headers, etc.)
- Bugs that do not have security implications
- Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website
- Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.
- Vulnerabilities affecting outdated or unpatched browsers/operating systems
- Bugs already known to us, or already reported by someone else (reward goes to first reporter)
- Issues that aren’t reproducible
To report an issue:
- Send an email to firstname.lastname@example.org using the PGP from our Keybase account.
- Include information about the vulnerability and detailed steps on how to replicate it. The report must pertain to an item explicitly listed under our in-scope vulnerabilities section. The report should also contain as much detailed information as you can include—ideally, a description of your findings, the steps needed to reproduce the issue, and the vulnerable component.
We will do our best to respond to reports in seven business days.
Currently we can only offer non-cash rewards, including:
- Water bottle
- Mention in the JumpCloud Security Hall of Fame
Only the first report we receive about a given vulnerability will be rewarded. We can’t send rewards where prohibited by law.
If you have any questions about our VDP, contact email@example.com.