Responsible Disclosure

JUMO recognises the importance of security researchers in helping keep our electronic assets safe. We encourage the security community to tinker with our services and help us identify any security flaws. 

Please note that there is no monetary reward for disclosures. We will, however, add you to our hall of fame and link your website/LinkedIn. 

Guidelines for Responsible Disclosure

We ask that all tinkerers:

• Avoid degrading the experience of our users, or disrupting any of our production systems.
• Avoid disclosing, tampering with, or destroying any data.
• Keep information about the vulnerability you have discovered confidential until we have had enough time to remediate it.
• Not use social engineering, physical attacks, or DDoS to probe our systems or people.
• Send us your findings as soon as you can to responsibledisclosure@jumo.world.
• Share detailed information with us, as this helps us validate your findings and get working on a fix as soon as possible.
• Avoid breaking any applicable laws.

Qualifying Security Flaws

Design or implementation issues that directly affect the following areas for JUMO or our customers will likely be in scope.

• Confidentiality 
• Availability 
• Integrity

Non-Qualifying Vulnerabilities

The aim is to identify vulnerabilities that pose a security risk to JUMO or our clients, we will not accept any vulnerabilities that have no feasible means of exploitation or pose no clearly identified security impact. Below are a few examples of vulnerabilities that would NOT be accepted:

• Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
• Clickjacking on static webpages
• Missing security headers
• Missing cookie flags on cookies that pose no risk (such as the language flag)  

Additionally, the following vulnerabilities will also not qualify for this responsible disclosure program.

• DMARK issues
• DDoS

What We Strive For

• Respond to you within five business days, with our evaluation of your finding.
• Handle your report, and personal information confidentially and not share it with any third parties without your permission.
• In communication about the reported vulnerability we can state your name as the discoverer if you would like that.
• Not pursue or support any legal action related to your disclosure.

Hall of Fame

Special thank you to those that have helped us so far: