Responsible Disclosure

Welcome to JUMO’s Responsible Disclosure Policy

We encourage the global security community to support us in building a resilient, trustworthy technology stack. We ask that anyone looking for anomalies or vulnerabilities in our services follow the principles as outlined below. Please note that there is no monetary reward for disclosures.

Guidelines for Responsible Disclosure

We ask that all tinkerers:

• Avoid degrading the experience of our users, or disrupting any of our production systems.
• Avoid disclosing, tampering with, or destroying any data.
• Keep information about the vulnerability you have discovered confidential until we have had enough time to remediate it.
• Not use social engineering, physical attacks, or DDoS to probe our systems, or people.
• Send us your findings as soon as you can to responsibledisclosure@jumo.world.
• Share detailed information with us, this helps us to confirm your finding and get working on a fix as fast as possible.
• Avoid breaking any applicable laws.

We will strive to:

• Respond to you within five business days, with our evaluation of your finding.
• Handle your report, and personal information confidentially and not share it with any third parties without your permission.
• In communication about the reported vulnerability we can state your name as the discoverer if you would like that.
• Not pursue or support any legal action related to your disclosure.

Please note that we no longer recognise vulnerabilities relating to:
– DMARC
– DDoS
– XMLRPC
– Findings from an automated scanner such as Nessus
– Username enumeration, or
– CORS policy or Origin hostname poisoning

This is because the vulnerability satisfies one of the following criterion:
– Investigated, false positive
– Mitigations are in place for active exploitation
– It has already been reported and is being investigated

Hall of Fame

Special thank you to those that have helped us so far: