Responsible Disclosure

Welcome to JUMO’s Responsible Disclosure Policy

JUMO recognises the importance of security researchers in helping keep our electronic assets safe. We encourage the security community to tinker with our services and help us identify any security flaws. 

Please note that there is no monetary reward for disclosures. We will, however, add you to our hall of fame and link your website/LinkedIn. 

Guidelines for Responsible Disclosure

We ask that all tinkerers:

  • Avoid degrading the experience of our users, or disrupting any of our production systems.
  • Avoid disclosing, tampering with, or destroying any data.
  • Keep information about the vulnerability you have discovered confidential until we have had enough time to remediate it.
  • Not use social engineering, physical attacks, or DDoS to probe our systems or people.
  • Send us your findings as soon as you can to responsibledisclosure@jumo.world.
  • Share detailed information with us, as this helps us validate your findings and get working on a fix as soon as possible.
  • Avoid breaking any applicable laws.

Qualifying Security Flaws

Design or implementation issues that directly affect the following areas for JUMO or our customers will likely be in scope.

  • Confidentiality 
  • Availability 
  • Integrity

Non-Qualifying Vulnerabilities

The aim is to identify vulnerabilities that pose a security risk to JUMO or our clients, we will not accept any vulnerabilities that have no feasible means of exploitation or pose no clearly identified security impact. Below are a few examples of vulnerabilities that would NOT be accepted:

  • Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
  • Clickjacking on static webpages
  • Missing security headers
  • Missing cookie flags on cookies that pose no risk (such as the language flag)  

Additionally, the following vulnerabilities will also not qualify for this responsible disclosure program.

  • DMARK issues
  • DDoS

What We Strive For

  • Respond to you within five business days, with our evaluation of your finding.
  • Handle your report, and personal information confidentially and not share it with any third parties without your permission.
  • In communication about the reported vulnerability we can state your name as the discoverer if you would like that.
  • Not pursue or support any legal action related to your disclosure.

Hall of Fame

Special thank you to those that have helped us so far:

Gul Hameed

no link supplied

Disclosures

Sujan Thapa Magar

eminenceways.com

Disclosures

Virendra Yadav

linkedin.com/in/virendra-yadav-9232b115a

Disclosures

Sagar Aswani

linkedin.com/in/sagar-aswani-6b9816125/

Disclosures

Ajit Sharma

linkedin.com/in/ajit-sharma-90483655

Disclosures

Robert Aaron

linkedin.com/in/robert-aaron-14735b188

Disclosures

Ahmed Tuhin

twitter.com/kiirapooki1

Disclosures

Akhil Sabu

linkedin.com/in/akhil-sabu-a2136497

Disclosures

Dhanumaalaian

linkedin.com/in/dhanumaalaian-r-b34338189

Disclosures

Ajaysen

no link supplied

Disclosures

Sunil Kande

twitter.com/Sunilkande1137

Disclosures

Daksh Khurana

twitter.com/india_khurana

Disclosures

Steven Julian

linkedin.com/in/steven-julian22

Disclosures

Mayur Parmar

linkedin.com/in/th3cyb3rc0p

Disclosures

Nishant Lungare

linkedin.com/in/nishant-lungare-28b841157

Disclosures

Mohamed Saqib

linkedin.com/in/mohamed-saqib

Disclosures

Pritam Mukherjee

linkedin.com/in/pritam-mukherjee-urvil-b75ab9b9

Disclosures

Ronit Bhatt

linkedin.com/in/ronit-bhatt-653a7115b

Disclosures

Vismit Rakhecha

linkedin.com/in/vismit-sudhir-rakhecha-76209523

Disclosures

Manas Harsh

@manas_hunter

Disclosures

Pranshu Tiwari

linkedin.com/in/pranshu-tiwari-b5759b158

Disclosures

Ravindra Lakhara

linkedin.com/in/ravindra-lakhara-035509173

Disclosures