Introduction

JumpCloud is committed to protecting the privacy and security of our customers.  Although we have taken every effort to minimize all the security bugs in our systems, we realize that something may have been missed.  We encourage individual security researchers to study/analyze our platform to make it even safer.  Our Vulnerability Disclosure Program (VDP) is intended to minimize any security flaws found in our infrastructure and software.  If you believe you have found a security vulnerability in our platform, please contact us as soon as possible.  We will investigate all legitimate reports and do our best to address the issue quickly.  Before reporting the issue, please take a moment to review this page, which includes our disclosure policy, guidelines, rules, the program’s scope, rewards, and how to contact us.

Responsible Disclosure Policy

  • You give us a reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
  • You make a reasonable faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data and interruption or degradation of our services.
  • You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for further problems.)
  • You do not intentionally violate any other applicable laws or regulations, including (but not limited to) laws and regulations prohibiting unauthorized access to data.
  • For this policy, you are not authorized to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person.

Guidelines & Rules

Participating in JumpCloud’s VDP requires you to follow our guidelines. Please adhere to the following guidelines to be eligible for rewards under this disclosure program:

Residents in U.S. sanctioned countries (Cuba, Iran, Sudan, Syria, and North Korea) are ineligible.

  • Don’t violate the privacy of other users, destroy data, disrupt our services, etc.
  • Don’t request updates on an hourly basis. We are handling dozens of reporters daily, and spam impacts JumpCloud’s efficiency.
  • Only target your accounts in the process of investigating any bugs/findings. Don’t focus, attempt to access, or otherwise disrupt the accounts of other users.
  • Don’t target our physical security measures or attempt to use social engineering, spam, or distributed denial of service (DDOS) attacks.
  • If you find a severe vulnerability that allows system access, you must not proceed further.
  • JumpCloud decides to determine when and how bugs should be addressed and fixed.
  • Disclosing bugs to a party other than JumpCloud is forbidden; all bug reports are to remain at the reporter and JumpCloud’s discretion.
  • The threatening behavior of any kind will automatically disqualify you from participating in the program.
  • Exploiting or misusing the vulnerability for own or other’s benefit will automatically disqualify the report.
  • Bug disclosure communications with JumpCloud’s Security team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.

Vulnerability Disclosure Program Scope

The following services and domains are considered in scope:

In-Scope Endpoints and Systems

These specific endpoints and our endpoints are considered in scope:

  • JumpCloud Agent Site (agent.jumpcloud.com)
  • JumpCloud user and admin consoles (console.jumpcloud.com)
  • JumpCloud API to access audit data (events.jumpcloud.com)
  • JumpCloud endpoint for GSUite Integration (google-sync.jumpcloud.com)
  • JumpCloud endpoint for client certificate deployment (kickstart.jumpcloud.com)
  • JumpCloud endpoint for LDAP Service (ldap.jumpcloud.com)
  • JumpCloud endpoint for Office 365 Integration (o365-sync.jumpcloud.com)
  • JumpCloud endpoint for post client certificate deployment (private-kickstart.jumpcloud.com)
  • JumpCloud endpoint for RADIUS Service (radius.jumpcloud.com)
  • JumpCloud Service Provider endpoint for SAML (sso.jumpcloud.com)
  • JumpCloud Agents (endpoints deployed to systems)

Out of Scope Endpoints and Systems

  • JumpCloud Support Site (support.jumpcloud.com)
  • JumpCloud Main Site (jumpcloud.com)
  • Vulnerabilities on sites hosted by third parties unless they lead to a weakness on any scoped endpoint.

IN-SCOPE VULNERABILITIES

Generally speaking, any bug that poses a significant vulnerability could be eligible for a reward.  It is entirely at JumpCloud’s discretion to decide whether a bug is significant enough to qualify for an award.  Security issues that typically would be eligible (though not necessarily in all cases) include:

  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Code Executions
  • SQL injections
  • Server-Side Request Forgery (SSRF)
  • Privilege Escalations
  • Authentication Bypasses
  • File inclusions (Local & Remote)
  • Protection Mechanism bypasses (CSRF bypass, etc.)
  • Leakage of sensitive data
  • Directory Traversal
  • Administration portals without an authentication mechanism
  • Open redirects which allow stealing tokens/secrets

OUT OF SCOPE VULNERABILITIES

Things that are not eligible for reward include:

  • Social Engineering
  • Lack of rate-limiting mechanisms
  • Open redirects without a severe impact
  • Application stack traces (path disclosures, etc.)
  • Self-type Cross-Site Scripting / Self-XSS
  • Vulnerabilities that require Man in the Middle (MiTM) attacks
  • Denial of Service attacks
  • CSRF issues on actions with minimal impact
  • Cache Poisoning
  • Clickjacking
  • Incomplete or missing SPF/DMARC/DKIM records
  • HSTS not enabled on *.jumpcloud.com websites
  • Brute force attacks
  • Security practices (banner revealing a software version, missing security headers, etc.)
  • Bugs that do not have security implications
  • Vulnerabilities on sites hosted by third parties unless they lead to a weakness on the main website
  • Vulnerabilities are contingent on physical attack, social engineering, spamming, DDOS attack, etc.
  • Vulnerabilities affecting outdated or unpatched browsers/operating systems
  • Bugs already are known to us, or previously reported by someone else (reward goes to the first reporter)
  • Issues that aren’t reproducible

Reporting

Send an email to [email protected] using the PGP key located here, with information about the vulnerability and detailed steps on how to replicate it.

  • The report must pertain to an item explicitly listed under our in-scope vulnerabilities section.
  • The report should also contain as much information as you can–ideally, a description of your findings, the steps needed to reproduce it, and the vulnerable component.
  • If you need to share screenshots/videos, please upload it to Google Drive (or any other upload service) and share with us the links to those files.

We will make every effort to respond to accurate reports within seven business days.

JumpCloud will utilize Bugcrowd’s VRT for initial prioritization and review its overall impact for further prioritization based upon JumpCloud’s Vulnerability Management Program.

All Assessments are considered final.

PGP key

—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: PGP Universal 3.4.2 (Build 10531)
mQINBGRrjLwBEADi9Xm1ryJtXm4ut2PbIoJORbTXv5rkrg2KgUxhQyo2YNxp6mW1
RlIjxzJp71RESG2kP3K0oV2JofVFcAuKdB/KNx5O72n7Cg2drr6xcBPJK3Lld5Q6
Bd54rGxUb3SMHrgXx+YvV1PzYIsz34mWQN/2EwkeVpJ3rJGnyxnVPmzwixTBG3wH
sBRX84HIKNNJsii3xBsmNzpgKrlAhjJkXz3iNYP+gNdW56fLW272SyeiTvqkdZQK
uvoT04tWIteKF4+ETSbXjGQfqbCWdzwLmlPZASndVA9lT7IFVwWEVRvMKhSOMIcc
U6gkG0BuP/ZDY3wZsMvF5iSSQyQZiaVRM9/zoJlmTWMKFfzWm8cZx5utIzbNqTRi
0vRf903DkR/pZLoQIKEBKDd09tbGrSGFWO0t8cKhZ3/eEc4KjBxmovV6SS2F5C1O
YqheJlGsXsM24ya5gt6HlMfuCDYGkZ/LhzkQtDeTja+Olzd0s4kAT6rzpr0Gj4uu
NTirKeyVlb3LnWMYkvzNzHjI9iGgt1FIos2prJngEEfSt8Vod24upVpseN5RuplN
Y9k9k80+aoYQn+lJ6iFQ0Pk739mRZvxYC3mEgilbFScnF5efOgFD6EhWG/pPw9ag
/EB/oSV8zbrsHBIn6SEwqyMuDf041b1t50Cwm8P5fFmd6vxLJzITXYwxaQARAQAB
tGhKdW1wQ2xvdWQgU2VjdXJpdHkgKGh0dHBzOi8vanVtcGNsb3VkLmNvbS92dWxu
ZXJhYmlsaXR5LWRpc2Nsb3N1cmUtcG9saWN5KSA8dnVsbmVyYWJpbGl0eUBqdW1w
Y2xvdWQuY29tPokCUQQTAQgAOxYhBBwGRsmrg96a+a1SI89nsno2xKqdBQJka4y8
AhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEM9nsno2xKqd7rEP/RPQ
V56t+R3I64IU73UyHvtwifn286JTu9+K93nowW+UhOcj8WTIbQr66cpg5Z7/gcR3
gQKdIXX3tfkLgdF+IC19eV/rnh61Inw1CX2E36AMgHMFVlpuTgv6opJUbLFoQWo2
sxPkLo5LkWO54iLmVXALByvf6nmnYaPMFt7A/xATrGnJbBG9pXxO5IR3hJ3wO+oD
vwm1zLSwTxWq/v7QhLzIPfJ8A5GZBTtn9nCrK4jXY/69VY94MdSE7p/cAYSEX38k
HGzGGcROBAYjjw2D2VVKRE7Eultvt9V6SbDrQHLA1SVoOrOc/FwxQDonoyqScpvt
a4WeocFD1exR50aHTKmXm2rdUeiyDsBFgQ4kSMmuYIuUzqJAQiyCSIK6pzk5VT0i
wwrD37n9m/cZg2tWnIHgR9JxW3Z5sr7T2MiRlNqQc7NhmOe0W6SdNLmPeyqG4QF3
9V6dayYOjM3wjvUfTPhLh8yEtJEXAOtxjCx8VCU6ptTf6QJe/G3WmWs8me1MexbQ
qN3vgmWJ2tCloNoLq3G1N9XEb0c1lqiTTSeNnlXCSVTXXd0vO6VXgDjfEowpaA2G
T6F1kgBkx4CkT/pKaacWUvCPTutj0Tjm0+lKOKGuYTp2Vr3ixNb2KBoAin/nVNDA
482CZt+UHElFZJC0cIa8SRdBiJH6kgFdykSx56mAiQEiBBABCAAMBQJka5xOBQMA
EnUAAAoJEJcQuJvKV618BxAH/RDHiH1dvQ8AlVwYzyFK+5/KUxfxSRzjoNol7glw
f3rk0+uV6mHEp7HO6xkSy4iSrgdVl4Y/ExhPhohBMdwWrtNM71WYWADlaPcScrLW
759qrg6tJL/hnN0V7PR8YD/Tf2YgyJp9k8Q1Ztpfzlh/DBXnxYEzrRy/e/xnN1sF
y1ZC+YtcQK2QNyEPJuFevdo/GtAUek+IB1ppEYHgJkwGwLPy0fdIoXAp5tILohF+
nsH1bZ4/SRC6A7lFnjDGtpBwWyjKp61Yjr9lV/TEkp/B8npbl/UTxbS7I8629g+n
vSaAdhTqhurjQld76Ow1H5Z4IeVhSllgWBipKswclyZEFM+5Ag0EZGuMvAEQANdM
6O239URzbr571R68XwJoIhOxuz9xtPYiehLmlwY6tjcBRoLLb03TRcBajjWVHrhG
aE+GQZkiyt0JCI0fS0GeQfcmWCuqKQbDT8GG1LYbR+Q0GoDyiiC1oeBW5eSJrIav
Cnfw7GqcTKJydN1cDmhBk9wzABbpP9NK74wgrcY00PNQbixHxFWNKsgVezqORSBZ
ej4SQol0OeDzdrXLXF/oG75GwOvfoQcIvVtR4nsbJHyjuc9j0uQb7SooKn0p4q2P
b8dVqVjHeImI3SVij5Lyf5Gvf3ABy8CWO0KNJENAQCyn+dj9IvZM7HCj8IOZ6YWO
ZqZIpxkENRAR7BFVliO0C/lJeI2PuGnFzOguycBGgaVOR627FGn6iLg5V71nHCc4
Z77or7+nuUe3Q/VM7+AGvmntbXi4c15Jxtaqj9eGfCcHlSCoa7YaG3Vmlzcee9xg
X4/iSK0rpVjMGNY3b6HsRa6kHlv/Dno+FFBzNloKk2OdjyOMZDebZKDcgkgsIDbk
GdWGhbbkt16r8A5yqfZ1+5P7blEzHxdEyOuzhAdn8smtP8Odgx5uJHsNk8twSwl0
GIe6jPHWtmEahN3mpYzB6mb7fLWoschA3lW5pG9QeCkF3g5/hxoTUJU1oX2Ck7Xv
2RrRSY51SJL4NWJiR/eOvec3VOyDCdN1Br32ybpxABEBAAGJAjYEGAEIACAWIQQc
BkbJq4PemvmtUiPPZ7J6NsSqnQUCZGuMvAIbDAAKCRDPZ7J6NsSqndm5EACh+Xay
qL+n64ajKuSjQpvSA0T8Dk1pDYMeKBZgfFL1zQPid272nttugG6Nlksc+MvL+4KH
oKX+T7c1g9kJRNeOTIM2Epaiu/xEwUPacqLI6sx5pL5rEbUq/iT+T5o3DuQ1pPE4
uaHbyx3K1/cxuDu9VMOpUwhUpXeBCy+WL4e0N7NOwKYF7A++Z1rI5/9HE2lwwY/0
9ctC5YIjfK4u7hmJe2ts0N/jjHJpeK+hSuk3KoncphvdGYnj2nVgW3eg06CuDcq5
jfo1+afdBRxIQN84oI5lizNYoTHPxiIh2Ob0ZZ5ZsoT6lvQ+z4h0pacYiQHkKPFR
nSIOedI4DO4fKM9DkYnHQ10pDyG4BgIxkTWdN0vKXG0le3Hw5kgTlyJtb0u7Dg1W
Au/nRgYu0UtDRPLa/ca0Gp7kkPKsJ5zvTZPTeSFThpfuerPb94WUtXA4X9CV/DhP
U2KwNHI/dUdJx7EVEcSWdONsQPe7fPPlxTXM5CBe5tqhKvi01CBiXky/aoR1RKzC
iM1pgPXkUlQG4CGy8XkEDrJh1SmNdH0xX1AW4srlokUbefeHfzY7hxAg/DxKZKSH
ZsidiSHmAG26BXpUs5N3F1qBiurao9FChNCKlcTe8ecEQRQOiLeT7ZfQnSA0y5dm
D3UCBlrzO1aKp50ptQ3NCyP8Lz1eG/ixb3LvOA==
=Gqmu
—–END PGP PUBLIC KEY BLOCK—–

Ratings/Rewards

Ratings

For the initial prioritization/rating of findings (with a few exceptions), this program will use the Bugcrowd Vulnerability Rating Taxonomy.

However, it is essential to note that in some cases, a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded.

Rewards

At present, we can only offer non-cash rewards, including:

  • A gift card from Amazon (www.amazon.com)

Only the first report we receive about a given vulnerability will be rewarded. We cannot send rewards where prohibited by law.

Residents in U.S. sanctioned countries (Cuba, Iran, Sudan, Syria, and North Korea) are ineligible.

PriorityReward
P1100 US Dollars via Amazon Gift Card
P250 US Dollars via Amazon Gift Card
P325 US Dollars via Amazon Gift Card

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Questions

If you have any questions about our VDP, please contact [email protected].