Responsible Disclosure
JUMO recognises the importance of security researchers in helping keep our electronic assets safe. We encourage the security community to tinker with our services and help us identify any security flaws.
Please note that there is no monetary reward for disclosures. We will, however, add you to our hall of fame and link your website/LinkedIn.
Guidelines for Responsible Disclosure
We ask that all tinkerers:
- Avoid degrading the experience of our users, or disrupting any of our production systems.
- Avoid disclosing, tampering with, or destroying any data.
- Keep information about the vulnerability you have discovered confidential until we have had enough time to remediate it.
- Not use social engineering, physical attacks, or DDoS to probe our systems or people.
- Send us your findings as soon as you can to responsibledisclosure@jumo.world.
- Share detailed information with us, as this helps us validate your findings and get working on a fix as soon as possible.
- Avoid breaking any applicable laws.
Qualifying Security Flaws
Design or implementation issues that directly affect the following areas for JUMO or our customers will likely be in scope.
- Confidentiality
- Availability
- Integrity
Non-Qualifying Vulnerabilities
The aim is to identify vulnerabilities that pose a security risk to JUMO or our clients, we will not accept any vulnerabilities that have no feasible means of exploitation or pose no clearly identified security impact. Below are a few examples of vulnerabilities that would NOT be accepted:
- Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
- Clickjacking on static webpages
- Missing security headers
- Missing cookie flags on cookies that pose no risk (such as the language flag)
Additionally, the following vulnerabilities will also not qualify for this responsible disclosure program.
- DMARK issues
- DDoS
What We Strive For
- Respond to you within five business days, with our evaluation of your finding.
- Handle your report, and personal information confidentially and not share it with any third parties without your permission.
- In communication about the reported vulnerability we can state your name as the discoverer if you would like that.
- Not pursue or support any legal action related to your disclosure.
Hall of Fame
Special thank you to those that have helped us so far:
Gul Hameed
no link supplied
Disclosures
Sujan Thapa Magar
eminenceways.com
Disclosures
Virendra Yadav
linkedin.com/in/virendra-yadav-9232b115a
Disclosures
Sagar Aswani
linkedin.com/in/sagar-aswani-6b9816125/
Disclosures
Ajit Sharma
linkedin.com/in/ajit-sharma-90483655
Disclosures
Robert Aaron
linkedin.com/in/robert-aaron-14735b188
Disclosures
Ahmed Tuhin
twitter.com/kiirapooki1
Disclosures
Akhil Sabu
linkedin.com/in/akhil-sabu-a2136497
Disclosures
Dhanumaalaian
linkedin.com/in/dhanumaalaian-r-b34338189
Disclosures
Ajaysen
no link supplied
Disclosures
Sunil Kande
twitter.com/Sunilkande1137
Disclosures
Daksh Khurana
twitter.com/india_khurana
Disclosures
Steven Julian
linkedin.com/in/steven-julian22
Disclosures
Mayur Parmar
linkedin.com/in/th3cyb3rc0p
Disclosures
Nishant Lungare
linkedin.com/in/nishant-lungare-28b841157
Disclosures
Mohamed Saqib
linkedin.com/in/mohamed-saqib
Disclosures
Pritam Mukherjee
linkedin.com/in/pritam-mukherjee-urvil-b75ab9b9
Disclosures
Ronit Bhatt
linkedin.com/in/ronit-bhatt-653a7115b
Disclosures
Vismit Rakhecha
linkedin.com/in/vismit-sudhir-rakhecha-76209523
Disclosures
Manas Harsh
@manas_hunter
Disclosures
Pranshu Tiwari
linkedin.com/in/pranshu-tiwari-b5759b158
Disclosures
Ravindra Lakhara
linkedin.com/in/ravindra-lakhara-035509173