Responsible Disclosure

Welcome to JUMO’s Responsible Disclosure Policy

We encourage the global security community to support us in building a resilient, trustworthy technology stack. We ask that anyone looking for anomalies or vulnerabilities in our services follow the principles as outlined below. Please note that there is no monetary reward for disclosures.

Guidelines for Responsible Disclosure

We ask that all tinkerers:

• Avoid degrading the experience of our users, or disrupting any of our production systems.
• Avoid disclosing, tampering with, or destroying any data.
• Keep information about the vulnerability you have discovered confidential until we have had enough time to remediate it.
• Not use social engineering, physical attacks, or DDoS to probe our systems, or people.
• Send us your findings as soon as you can to responsibledisclosure@jumo.world.
• Share detailed information with us, this helps us to confirm your finding and get working on a fix as fast as possible.
• Avoid breaking any applicable laws.

We will strive to:

• Respond to you within five business days, with our evaluation of your finding.
• Handle your report, and personal information confidentially and not share it with any third parties without your permission.
• In communication about the reported vulnerability we can state your name as the discoverer if you would like that.
• Not pursue or support any legal action related to your disclosure.

Please do not disclose:

• Denial of service attacks (DDoS)
• Findings from an automated scanner such as Nessus
• Username enumeration on the CMS
• XMLRPC (mitigations are in place)

Hall of Fame

Special thank you to those that have helped us so far: