Introduction

JumpCloud is committed to protecting the privacy and security of our customers.  Although we have taken every effort to minimize all the security bugs in our systems, we realize that something may have been missed.  We encourage individual security researchers to study/analyze our platform to make it even safer.  Our Vulnerability Disclosure Program (VDP) is intended to minimize any security flaws found in our infrastructure and software.  If you believe you have found a security vulnerability in our platform, please contact us as soon as possible.  We will investigate all legitimate reports and do our best to address the issue quickly.  Before reporting the issue, please take a moment to review this page, which includes our disclosure policy, guidelines, rules, the program’s scope, rewards, and how to contact us.

Responsible Disclosure Policy

  • You give us a reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
  • You make a reasonable faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data and interruption or degradation of our services.
  • You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for further problems.)
  • You do not intentionally violate any other applicable laws or regulations, including (but not limited to) laws and regulations prohibiting unauthorized access to data.
  • For this policy, you are not authorized to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person.

Guidelines & Rules

Participating in JumpCloud’s VDP requires you to follow our guidelines. Please adhere to the following guidelines to be eligible for rewards under this disclosure program:

Residents in U.S. sanctioned countries (Cuba, Iran, Sudan, Syria, and North Korea) are ineligible.

  • Don’t violate the privacy of other users, destroy data, disrupt our services, etc.
  • Don’t request updates on an hourly basis. We are handling dozens of reporters daily, and spam impacts JumpCloud’s efficiency.
  • Only target your accounts in the process of investigating any bugs/findings. Don’t focus, attempt to access, or otherwise disrupt the accounts of other users.
  • Don’t target our physical security measures or attempt to use social engineering, spam, or distributed denial of service (DDOS) attacks.
  • If you find a severe vulnerability that allows system access, you must not proceed further.
  • JumpCloud decides to determine when and how bugs should be addressed and fixed.
  • Disclosing bugs to a party other than JumpCloud is forbidden; all bug reports are to remain at the reporter and JumpCloud’s discretion.
  • The threatening behavior of any kind will automatically disqualify you from participating in the program.
  • Exploiting or misusing the vulnerability for own or other’s benefit will automatically disqualify the report.
  • Bug disclosure communications with JumpCloud’s Security team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.

Vulnerability Disclosure Program Scope

The following services and domains are considered in scope:

In-Scope Endpoints and Systems

These specific endpoints and our endpoints are considered in scope:

  • JumpCloud Agent Site (agent.jumpcloud.com)
  • JumpCloud user and admin consoles (console.jumpcloud.com)
  • JumpCloud API to access audit data (events.jumpcloud.com)
  • JumpCloud endpoint for GSUite Integration (google-sync.jumpcloud.com)
  • JumpCloud endpoint for client certificate deployment (kickstart.jumpcloud.com)
  • JumpCloud endpoint for LDAP Service (ldap.jumpcloud.com)
  • JumpCloud endpoint for Office 365 Integration (o365-sync.jumpcloud.com)
  • JumpCloud endpoint for post client certificate deployment (private-kickstart.jumpcloud.com)
  • JumpCloud endpoint for RADIUS Service (radius.jumpcloud.com)
  • JumpCloud Service Provider endpoint for SAML (sso.jumpcloud.com)
  • JumpCloud Agents (endpoints deployed to systems)

Out of Scope Endpoints and Systems

  • JumpCloud Support Site (support.jumpcloud.com)
  • JumpCloud Main Site (jumpcloud.com)
  • Vulnerabilities on sites hosted by third parties unless they lead to a weakness on any scoped endpoint.

IN-SCOPE VULNERABILITIES

Generally speaking, any bug that poses a significant vulnerability could be eligible for a reward.  It is entirely at JumpCloud’s discretion to decide whether a bug is significant enough to qualify for an award.  Security issues that typically would be eligible (though not necessarily in all cases) include:

  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Code Executions
  • SQL injections
  • Server-Side Request Forgery (SSRF)
  • Privilege Escalations
  • Authentication Bypasses
  • File inclusions (Local & Remote)
  • Protection Mechanism bypasses (CSRF bypass, etc.)
  • Leakage of sensitive data
  • Directory Traversal
  • Administration portals without an authentication mechanism
  • Open redirects which allow stealing tokens/secrets

OUT OF SCOPE VULNERABILITIES

Things that are not eligible for reward include:

  • Social Engineering
  • Lack of rate-limiting mechanisms
  • Open redirects without a severe impact
  • Application stack traces (path disclosures, etc.)
  • Self-type Cross-Site Scripting / Self-XSS
  • Vulnerabilities that require Man in the Middle (MiTM) attacks
  • Denial of Service attacks
  • CSRF issues on actions with minimal impact
  • Cache Poisoning
  • Clickjacking
  • Incomplete or missing SPF/DMARC/DKIM records
  • HSTS not enabled on *.jumpcloud.com websites
  • Brute force attacks
  • Security practices (banner revealing a software version, missing security headers, etc.)
  • Bugs that do not have security implications
  • Vulnerabilities on sites hosted by third parties unless they lead to a weakness on the main website
  • Vulnerabilities are contingent on physical attack, social engineering, spamming, DDOS attack, etc.
  • Vulnerabilities affecting outdated or unpatched browsers/operating systems
  • Bugs already are known to us, or previously reported by someone else (reward goes to the first reporter)
  • Issues that aren’t reproducible

Reporting

Send an email to [email protected] using the PGP key located here, with information about the vulnerability and detailed steps on how to replicate it.

  • The report must pertain to an item explicitly listed under our in-scope vulnerabilities section.
  • The report should also contain as much information as you can–ideally, a description of your findings, the steps needed to reproduce it, and the vulnerable component.
  • If you need to share screenshots/videos, please upload it to Google Drive (or any other upload service) and share with us the links to those files.

We will make every effort to respond to accurate reports within seven business days.

JumpCloud will utilize Bugcrowd’s VRT for initial prioritization and review its overall impact for further prioritization based upon JumpCloud’s Vulnerability Management Program.

All Assessments are considered final.

PGP key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Keybase Go 5.5.0 (darwin)
Comment: https://keybase.io/download
xsFNBF88RIMBEACdjoAYhfwyDx+bruk57DhUUwglT7xftUsGraa3K82MK92tQ7c7
JbbzgMdNmYcdNOiBkU7K3a3BKTnR3oWs5iBt67k1kepwT4FWBqIj3tJ42iwtiaB3
KIoMjJpnBDhJOmh/0e5yw55/OT5ccJXZkF9IZLhZO0ZlRd1KIjZpC9EnrnJCKVx+
aoEh9Z71sjB9TWQfJ6pSkQw7kNtzqz+rwHpb5qUrXIhG98ny97syjvj+x4suHVuh
+oE/rKTmKrOve/VACZum+W+8PNFbRIWgMel+KU2mk0WwKWNp71hSlsrWDXqD3rOi
Ct33BjvgOtuKHTdLondiCK4xhylmVHwl5JaX64kqd3cHzc+FuKaoPOMttj3vEhyq
np4ebeShtPx/f4kQMHpdyjZr09Z/BHSDORb/itNQlzYCoi9aReiPb3Bepn0p5lMc
aha3fTFnbvo7gPpJK6uRLzGfPocwYBa1Ypp0y4M9Ff5UinKTZ3C+YqtH36EZexto
h1Wc+LQdbMZhlAnOv1iKPP5P4Z1NlOa5XnUuwfPG8s8dceEsyMh3cJoKHZAb+I/A
A+Nq0k4OtDVJhqm0Ps8L90+vUw8hJpfxTaNGnTmo2ajqXRnMDkjdrof8zLbd3dLw
IaNeeDPEfAh8w7hMxiSfcjTpwaNOc4syDorefmfBE1VeOTEdGKlFmf6XOwARAQAB
zUBKdW1wQ2xvdWQgVnVsbmVyYWJpbGl0eSBNYW5hZ2VtZW50IDx2dWxuZXJhYmls
aXR5QGp1bXBjbG91ZC5jb20+wsF4BBMBCAAsBQJfPESDCRD0ItmDEwYajwIbAwUJ
HhM4AAIZAQQLBwkDBRUICgIDBBYAAQIAAL35EAAFxuxMcPFsoxqHmvRU6VDolsBK
Wm0NYGKDhgZkay1qzVbdlkE2eIQOSB3mN2pdEBiiIfC5y5jxryPojFb4GoG0lec7
HZg9wqAtRe2x8NeueOfb7nNrEhAEdstHZVK4VWG+tJJD+YUEeLRemowmxU8REDbr
RkAlzE6ypmi9lhfguW8+5sXW+r68gJPry42RlkY1raTLliv0jHMybi0QGPuR71AQ
5PrHw/rps+VAWL7sfWptl4gvBoi5dGLIMyLqPtmfZDJY5aB9f+RDfKXZpjp053mr
PBhKfAEJ+HZBnhraMnaVQneo/x9OnojA2LaRj1REh8vz0UhqdiGLZQFhvtqCLOAO
HLwENCg1gpSuSEbSx96gAuoJi19tKKK8SO8G+3NTMqVXKa14BCwZ6qLTPP3D+iW2
77mBQL2WA0CIZ1VxI2zYgbk7zCFDFJmwVjk2yZEiH0yuzRGo8OS5G8s4X8L3+tXJ
VbPGyNiAWBkrcQOx7pgpQwbmCN55Dmt1yz34Ha1JzKxiQ2Rs6ABhmmKcdvCDVg5V
R1LJNcGJyUywrjtQKj4EG7b3SwQxuVhlE9+KHGmRD/Iz0aMi3dLbkMLA4lIcbAf5
TUCmnK81OZeQbGqUyIBOgvfuHgDvhF1rIK+Jkk40zk/b/H+CJ3F5iI+6ONcDk1+8
c9gO2GlI6BjRdwW7gc7BTQRfPESDARAAwLpjuXTxGCJOhtlMuuYdDjBDYgI/qld4
4xsKsN8FiS1bbjyklMyLSNpH9AncNMl68e0GBC8Nfhl98BTt+MKMfu0+dfF4EWFy
IbWykA08Gpf3GI1urE7DshdOZ6ty0oQZoZZiC7PqbffKwQr7G7WidUMtoDVZzykZ
gaMkIAHJi5fh8wlg5vEhaXlHR1729ynXrrcPzChFF8sQydr7mTCmRJmO/43xAoYx
/frifd/Pguo8XTg2JxFYxynXPWzryid5lmsYr7B5YISf+D0J58aFCG1Ulwz9Uzbd
mr4sSjyLPy7vaD4lymECI/kHLP+ByaSm+IkRTgSh+pcCQNURFVzBERSA87wYWamu
kODpHrrDNnr0yuI27ZsysnVsSOK8pt24HPXbhLguHCVZn3W+r2/u5yTD4cl/pHtK
WxHhkdl4wC7nq/10meJKhYHq1RnzzIucyzUKCbpTQ/USinhkyaeOwDJXGSK5/6L/
0TkYI/8osA7Wy8tbsfWtQ7fCGhVJgaAnGd1Illb1ybS6E+ueXROgn9GAevhdJcB0
S9BrIm2IFfW5wkc5t6wFrU+FOaNpWn977TioQXV5VRrt7G/ZTHQxZvPGU/8N1Int
qmgiAatwWUTQ42/g4X8vn1gY17Z5+vL/wo29ktDqclyHHrSIdfSjfQJcIrjl8hDl
x+rK2Wm9YQ0AEQEAAcLBdQQYAQgAKQUCXzxEgwkQ9CLZgxMGGo8CGwwFCR4TOAAE
CwcJAwUVCAoCAwQWAAECAAAmEBAAcyCg2SaGDqO0MENgVjZ7GvDLvnNm0uwvG/Sn
qwp0iKFihvS4Ek7vB6I+3oWaydR2OKSsCa3jOLSSh/b2DSdfa1mWIq16+6335aJr
LT1M4ojxh7iLaVXlj1hVYIruAeukUxPzCi203wrBKFeuInE16ptcESlspmUQh90c
cwDFgCLg+HQfZFwOg1hQOIUkTCHEkWSmkZUZrooqaKMZMkxn8gw78to3HgJ2NU48
Gg46PosK5iOp2Pg7cAeASSYYn+KYfyV6RYvBDonaXcaHZEeFq7BQl4tXiBRpHEhn
Dc/GQR5MIRflHd7rj+yr6X4XSzU4bQJQLW49oQsUJ+tX4Bk0X3r/b1urUEGyIxQX
cDSyg9BdpRko4zdxHWagxpqvCibhHStovpju3V7DhMcuonyneO5vngPHmG69GKbt
9HGbd3ExUcXWLRpqKVSxk4N4Sy6h9SMAShggEmQqSwHrP/gf2tc8XN72ZhWTIbia
nE2ML4iSsmMarN3bQ081CNxPTP5Gr6/f1H31XgU+F8ClXMNQ45O2dTJeI83Fq3zP
TKL1rOY6uI1pGGGG8Cix8MUvL5eBiZaPYr7mvpk8H3Wq7xstCoczH7r1CmU7dJ1X
pQ/82QnQSpWCAQWrdFMMb7kfYCkF7kWeNK9h2h5Dh2u5btZZN2rv0yTGS8V3Aj1q
bwF1KXQ=
=+Mbd
-----END PGP PUBLIC KEY BLOCK-----

Ratings/Rewards

Ratings

For the initial prioritization/rating of findings (with a few exceptions), this program will use the Bugcrowd Vulnerability Rating Taxonomy.

However, it is essential to note that in some cases, a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded.

Rewards

At present, we can only offer non-cash rewards, including:

  • A gift card from Amazon (www.amazon.com)

Only the first report we receive about a given vulnerability will be rewarded. We cannot send rewards where prohibited by law.

Residents in U.S. sanctioned countries (Cuba, Iran, Sudan, Syria, and North Korea) are ineligible.

PriorityReward
P1100 US Dollars via Amazon Gift Card
P250 US Dollars via Amazon Gift Card
P325 US Dollars via Amazon Gift Card

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Questions

If you have any questions about our VDP, please contact [email protected].