Welcome to JupiterOne's vulnerability disclosure program. We take the security of our users seriously. We believe that working with security researchers and white hackers is crucial in identifying weaknesses in any technology.

If you believe you have discovered a potential security vulnerability in our products, please help us fix it as quickly as possible by reporting your findings to us.

Special Terms & Conditions

Publicly disclosing a vulnerability can put the entire community at risk, so we urge you to keep matters private until we give permission for disclosing publicly. Do not share the security issue publicly on message boards, mailing lists, or other forums.

• When submitting a vulnerability, please provide a clear, concise description of steps to reproduce the vulnerability.

• Please provide full details of the security issue, including Proof-of-Concept (POC) URL and the details of the system where the tests were conducted.

• Please do not engage in security research that involves: Potential or actual damage to our users, systems, or applications. Use of an exploit to view data without authorization that involves the corruption of data.

• Never request compensation for the reporting of security issues through any external marketplace for vulnerabilities.

General Rules:

• Testing is only authorized on the targets listed as Testing scope.

• Any domain/property/database/IP address of JupiterOne not listed in the Testing scope section is strictly out of scope.

• Avoid privacy violations, destruction of data, and interruption or degradation of JupiterOne’s services.

• Only interact with accounts you own.

• Findings must be exact, and the Bug Bounty Reports must contain the steps to follow to reproduce the issue. Attachments such as screenshots or Proof of Concept Code are highly recommended.

• Rewards or recognition will not be awarded if our security team cannot reproduce and verify a Finding.

• You must be the first person to report a valid Finding ('duplicate' reports will not be rewarded).

• The use of not allowed Third-Party Systems, Third-Party Software and/or automated scanners are prohibited.

• JupiterOne requests that Bounty Hunters do not perform automated/scripted testing of web forms, especially "Contact Us" forms.

• If you find the same Vulnerability several times, please report only one Finding. Multiple Vulnerabilities caused by one underlying issue will be awarded one bounty.

• You must not be a former or current employee of JupiterOne or one of its subcontractors.

Assumptions and Limitations

Strictly prohibited:

• Denial of Service (DoS) and Distributed Denial of Service (DDoS) based attacks.

• Non-technical attacks such as social engineering or phishing, vishing, smishing.

• Physical security attacks.

• Password cracking attempts (brute-forcing, rainbow table attacks, wordlist substitution, etc.).

Out of scope issues:

• Hypothetical flaw or best practices without exploitable POC and concrete attack scenario
• Reports from automated tools or scans
• Un-reproducible issues
• Use of a known-vulnerable library (without evidence of exploitability)
• Brute force attacks
• Sell/ransom user information taken from password reuse or other attacks
• Social engineering attacks (including phishing)
• Finding legacy credentials on our Github repositories (that are no longer in use or were never valid to begin with)
• User enumeration attacks
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
• Homograph Attack
• Password and account recovery policies, such as reset link expiration or password complexity
• Persistent login cookie weaknesses
• Login, logout, unauthenticated or low-value CSRF Web Sites / Applications
• Clickjacking on static website
• Disclosure of known public files or directories
• Errors thrown by web service (e.g. nginx) when the request were invalid / fuzzing
• Extension manipulation without any evidence of vulnerability (Attachments)
• Host injection, except if you can successfully forge a wrong URL or compromise something using it
• HttpOnly and Secure cookie flags as well as other missing cookie flags
• Missing security-related HTTP headers which do not lead directly to a vulnerability HTTPS configurations derivations from "state of the art" (such as HSTS settings, Secure flag for cookies, "weak" TLS ciphers, etc)
• Lack of context on user interaction
• Vulnerabilities affecting users of outdated or unpatched browsers and platforms
• UI redressing
• XSS attacks via POST requests or self XSS (unless you provide a PoC that show impact on other our customers)
• XSS or XSRF that requires header injection,
• Missing autocomplete attributes
• Missing cookie flags
• Massive automated actions on the platform through robots/crawling (except if it gathers sensitive information)
• CORS configuration, except if you can show a way to exploit this vulnerability to compromise sensitive information
• RTLO and related issues
• Stack traces or path disclosure Application Servers / API
• Content spoofing / text injection
• Errors thrown by web service (e.g. nginx) when the request were invalid / fuzzing
• Extension manipulation without any evidence of vulnerability
• Host injection, except if you can successfully forge a wrong URL or compromise something using it
• Missing security-related HTTP headers which do not lead directly to a vulnerability
• Vulnerabilities affecting users of outdated or unpatched browsers and platforms
• Stack traces or path disclosure
• Presence of autocomplete attribute on web forms
• Presence/absence of SPF/DMARC records Email
• Concerns related to email domain authentication
• Email configuration data
• Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
• Absence of rate-limiting
• Any issues regarding single session features/management
• Premium phone numbers attacks
• Recently disclosed 0-day vulnerabilities
• Software version disclosure
• Technical information disclosure without impact

Incident Handling and Response:

You, as Bounty Hunter must report any suspicious, unintentional or unwanted activities and security events you may find in the environment to [email protected].

JupiterOne reserves the right to terminate and/or suspend the Program or revoke any Bounty Hunter’s authorization if a security incident occurs in the environment.

Public Disclosure:

Before disclosing an issue publicly, we require that you first request permission from us (using “[email protected]” email address). JupiterOne will process requests for public disclosure on a per report basis.

Any Bounty Hunter found publicly disclosing reported vulnerabilities without JupiterOne’s written consent will be sanctioned.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep JupiterOne and our users safe!

Rewards

JupiterOne currently does not offer any monetary compensation.