Introduction

JumpCloud is committed to protecting the privacy and security of our customers.  Although we have taken every effort to minimize all the security bugs in our systems, we realize that something may have been missed.  We encourage individual security researchers to study/analyze our platform to make it even safer.  Our Vulnerability Disclosure Program (VDP) is intended to minimize any security flaws found in our infrastructure and software.  If you believe you have found a security vulnerability in our platform, please contact us as soon as possible.  We will investigate all legitimate reports and do our best to address the issue quickly.  Before reporting the issue, please take a moment to review this page, which includes our disclosure policy, guidelines, rules, the program’s scope, rewards, and how to contact us.

Responsible Disclosure Policy

  • You give us a reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
  • You make a reasonable faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data and interruption or degradation of our services.
  • You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for further problems.)
  • You do not intentionally violate any other applicable laws or regulations, including (but not limited to) laws and regulations prohibiting unauthorized access to data.
  • For this policy, you are not authorized to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person.

Guidelines & Rules

Participating in JumpCloud’s VDP requires you to follow our guidelines. Please adhere to the following guidelines to be eligible for rewards under this disclosure program:

Residents in U.S. sanctioned countries (Cuba, Iran, Sudan, Syria, and North Korea) are ineligible.

  • Don’t violate the Terms of Service (including but not limited to performing unauthorized penetration tests).
  • Don’t violate the privacy of other users, destroy data, disrupt our services, etc.
  • Don’t request updates on an hourly basis. We are handling dozens of reporters daily, and spam impacts JumpCloud’s efficiency.
  • Only target your accounts in the process of investigating any bugs/findings. Don’t focus, attempt to access, or otherwise disrupt the accounts of other users.
  • Don’t target our physical security measures or attempt to use social engineering, spam, or distributed denial of service (DDOS) attacks.
  • If you find a severe vulnerability that allows system access, you must not proceed further.
  • JumpCloud decides to determine when and how bugs should be addressed and fixed.
  • Disclosing bugs to a party other than JumpCloud is forbidden; all bug reports are to remain at the reporter and JumpCloud’s discretion.
  • The threatening behavior of any kind will automatically disqualify you from participating in the program.
  • Exploiting or misusing the vulnerability for own or other’s benefit will automatically disqualify the report.
  • Bug disclosure communications with JumpCloud’s Security team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.

Vulnerability Disclosure Program Scope

The following services and domains are considered in scope:

In-Scope Endpoints and Systems

These specific endpoints and our endpoints are considered in scope:

  • JumpCloud Agent Site (agent.jumpcloud.com)
  • JumpCloud user and admin consoles (console.jumpcloud.com)
  • JumpCloud API to access audit data (events.jumpcloud.com)
  • JumpCloud endpoint for GSUite Integration (google-sync.jumpcloud.com)
  • JumpCloud endpoint for client certificate deployment (kickstart.jumpcloud.com)
  • JumpCloud endpoint for LDAP Service (ldap.jumpcloud.com)
  • JumpCloud endpoint for Office 365 Integration (o365-sync.jumpcloud.com)
  • JumpCloud endpoint for post client certificate deployment (private-kickstart.jumpcloud.com)
  • JumpCloud endpoint for RADIUS Service (radius.jumpcloud.com)
  • JumpCloud Service Provider endpoint for SAML (sso.jumpcloud.com)
  • JumpCloud Agents (endpoints deployed to systems)

Out of Scope Endpoints and Systems

  • JumpCloud Support Site (support.jumpcloud.com)
  • JumpCloud Main Site (jumpcloud.com)
  • Vulnerabilities on sites hosted by third parties unless they lead to a weakness on any scoped endpoint.

IN-SCOPE VULNERABILITIES

Generally speaking, any bug that poses a significant vulnerability could be eligible for a reward.  It is entirely at JumpCloud’s discretion to decide whether a bug is significant enough to qualify for an award.  Security issues that typically would be eligible (though not necessarily in all cases) include:

  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Code Executions
  • SQL injections
  • Server-Side Request Forgery (SSRF)
  • Privilege Escalations
  • Authentication Bypasses
  • File inclusions (Local & Remote)
  • Protection Mechanism bypasses (CSRF bypass, etc.)
  • Leakage of sensitive data
  • Directory Traversal
  • Administration portals without an authentication mechanism
  • Open redirects which allow stealing tokens/secrets

OUT OF SCOPE VULNERABILITIES

Things that are not eligible for reward include:

  • Social Engineering
  • Lack of rate-limiting mechanisms
  • Open redirects without a severe impact
  • Application stack traces (path disclosures, etc.)
  • Self-type Cross-Site Scripting / Self-XSS
  • Vulnerabilities that require Man in the Middle (MiTM) attacks
  • Denial of Service attacks
  • CSRF issues on actions with minimal impact
  • Cache Poisoning
  • Clickjacking
  • Incomplete or missing SPF/DMARC/DKIM records
  • HSTS not enabled on *.jumpcloud.com websites
  • Brute force attacks
  • Security practices (banner revealing a software version, missing security headers, etc.)
  • Bugs that do not have security implications
  • Vulnerabilities on sites hosted by third parties unless they lead to a weakness on the main website
  • Vulnerabilities are contingent on physical attack, social engineering, spamming, DDOS attack, etc.
  • Vulnerabilities affecting outdated or unpatched browsers/operating systems
  • Bugs already are known to us, or previously reported by someone else (reward goes to the first reporter)
  • Issues that aren’t reproducible

Reporting

Send an email to [email protected] using the PGP key located here, with information about the vulnerability and detailed steps on how to replicate it.

  • The report must pertain to an item explicitly listed under our in-scope vulnerabilities section.
  • The report should also contain as much information as you can–ideally, a description of your findings, the steps needed to reproduce it, and the vulnerable component.
  • If you need to share screenshots/videos, please upload it to Google Drive (or any other upload service) and share with us the links to those files.

We will make every effort to respond to accurate reports within seven business days.

JumpCloud will utilize Bugcrowd’s VRT for initial prioritization and review its overall impact for further prioritization based upon JumpCloud’s Vulnerability Management Program.

All Assessments are considered final.

PGP key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP Universal 3.4.2 (Build 10531)
mQINBGmElxgBEADNsK0G3Ck5nQRefw8RzGizaJ3t0VBRRN+DnHFiTmlhc/N+qo88
uaLdSEAczVTx/+WtRabsGuviWN7Ejiyg/Lj7HQ3lPz5GhasIW4y6P5VAJiebshpb
6MEQxFKs6biVbhYCxcaAhjzvqs6oesreZxpxsqeh9JNhN371VrZ5I1ynpABx17ak
n1/KwHtUywTL3awoVZqKJDFtZPvLnbiWJgPKajdlqk1kfJKjuDjYxwKk7BPPDDkH
WyLwD/X6Z/aMqxXzBP5m1caHWqxfV+BRHYxm3mR8BCaJuaIwyEUW6HEaq7rJRILK
4ppHjC1/TTcjtNZa4Z8n7PKLhb09AmJF74Et0PfD0BQ4328ZQjtjeOHWgoRz2Mn7
XvNoX3qFMrFYMNSdrozIQzXp23TBqWI4uz1ziAQjZa6+DwdYwKyDZiBTFnak9g5e
0G3K2uEGZfSzjat0B3P5Ba5XFKaluEa97DiHKTwTVqLl+SUn3SqX2XXlDDnKRRHR
RroANbaUMuWFf+8iA874b2oGlYXNY5NIjFI9M6a7s5kViGjr0S32GMybIb11gWvJ
Bt3e+AbVYnk4uSVSJZDG3Jqt1H49LKeKckikfXckH8kjpVMpGrhB8cwp0l8M59Jw
SUgCrNuTYvA7JnMw48vAON/50c7l7v+/D3moKZUjd/VNKaAriQoxfwfMWQARAQAB
tIJKdW1wQ2xvdWQgU2VjdXJpdHkgKGh0dHBzOi8vanVtcGNsb3VkLmNvbS92dWxu
ZXJhYmlsaXR5LWRpc2Nsb3N1cmUtcG9saWN5KSAoVkRQIEtleSByb3RhdGVkIDV0
aCBGZWIpIDx2dWxuZXJhYmlsaXR5QGp1bXBjbG91ZC5jb20+iQJRBBMBCAA7FiEE
oLlEp1DoX6rOBaffvz+vo/puLP8FAmmElxgCGwMFCwkIBwICIgIGFQoJCAsCBBYC
AwECHgcCF4AACgkQvz+vo/puLP9LaBAAu2IxrjXFfJQq/JDHXVU6kgvxEVbQc5yE
G6X+zJVUNaBT2rXU6jhubiWtXJ4wlehMXPeFQ+C+rex+/qOV/vPSOoIXeyaWT9ka
lBfnhgS19siznvB6TazZRiPehbyvqkxxlBMGhUrePJhcoZQZZ/pxJGncBeyjRbOS
DfT7CPHkjxCj8lmmC0wXkEOxh2dVfF1SkxyeGB/1rz39iBULqrvHWM5mA9hAaxRU
gDIvjguExs13lBQC+PBf6i+F5vQuFTarSTwJ1rgO3fUVlrpVVLaddXrNcMx9XaoO
dMs3I1RAhGjv0ysKZHgA0MCxBN+6CF7WByjwOcLWzwn+r0Ghaj39bVZK6f8nWxf3
vfAjEuX5JVu5jXMbrrsEG4286RrKBFhZIt+Jj9kqqkWiP+iOK/otavDAvVOXinQY
VLYMmZNIY2L3L+zE0S479891+teDiGYFZvNmyufQZkDkvRlK5jRG3ZZZ7RMpMG9l
VN4MckM7eR/PiRqdzPOxFI4ohLEOWv1DXAQyvpEOF/jNhtHTU5KHQgk76W5OJgZI
5fXEVDuiKIHxEqIudS0JQIEEhVDW4kw2ialRQiFVYddVJJpnLQunETTLE0xenhCH
Tqib5Zi/ZW/PZKl2Laiao8yIDYFmTUh3uxGs3VnVV9DBAn3h5bkZpOe8wSQh8Doj
mSCy5o5aOzy5Ag0EaYSXGAEQAOUOX5DmAUC0DM0EUom8ZbtQSw0XfTwhJisMbHWD
NfMZnvkLOmgoZYj6zRDrlh5xpO8EE/Z/qD3UuyYDyNfFt/IB10JMagBOZm6P9QPh
TJcwGSBDhSllGiECgWT8h8jK78DoQ1bBnr6OdfQS2qfdBZN+DP0H+QuzOIMKpntV
KBWKjPTCESZ5yrqKS29iFrjKl3IN5CfH9TmJbwwZrOO1hfg+XwbeQoEN9zk+lf1t
dAQPxFd0DEdukxuoisgxK9wMK/mIj5nBxN8VtAKJhfWasVL9kFJB+ZXfdOc8sH2A
NTLhPVdQ3hlQJ13BdWCga2UmhGVGTkHmOKOvhTm/ogZiBb/eUKW1uic1lowEW43i
2h8nip/IhhPCWGK5RvQDmfV9oPnFmf5HqcuG4m8pft6+RsiRId2KPybQY8CEPpvW
p47XpeRc6jWMRHDwsiir09BlV+Ua7RKZj8T9aT9IaCA9uXFv5sd0tRfYK36y9rXk
30Pv4jnUUNa7lDqQAPB7AJmr2vLRccxi0dErRV19Ttw4FAha4E3LT4HVSjkLFdQC
t6sdxr3g38QDqqUcL9EZH9D+q8R11AEuOsY5thT6d6MAcdI5QiHlITloxjFbybof
wWgnRF7mwniFSKapuu9yr9N5PZgvMGQ7oNfz4N0R8JO+ck/pcjXF6jyxICgIBzgZ
+9z7ABEBAAGJAjYEGAEIACAWIQSguUSnUOhfqs4Fp9+/P6+j+m4s/wUCaYSXGAIb
DAAKCRC/P6+j+m4s/6trD/9bpf0arGyuB4Fs3R027QEeoZ1FzwQcrp0YkrL/1o/V
OZRZHhUP2eCY4o8Lbi1RhRYkcPCJexpMMj1LOBwhclVoHJ5i3w1xeCZbiTKZjSjR
XBfBLIBvTjFGgwo5V8YiEp98ZIQhBladgac3flRkieJ9inMgegdE5iPojuQkH0n2
SwYWhAp7OFMwk8fHaIADcQgoxZReN5te5HK9Ht8KV+t1fwlYw5JDSKOU8l6wP966
yQtJHSg9gv7dA6lKFqT7Bja2c1KJrJMu8v/2bDBV1C51MRNgj2LMgbAJU5Ig9ET9
EiWDkA8/Uy24++FCCL2WEEpCihPbiL/XQbvJf0Xn43zyk4zhBKh2WunftRmOnJ74
Cazmvbbuzy+7uhfGsYnV3UFppGnJC86bkiq9q4ItDsTrI/GPaaD5twLjcSwJGZvI
Cv1OgPA2gA7cK32DNMpvxx6VSXA+EdFgpR4gbaAnZ/aSuFtyBVHIj4XwJfMAFN2L
+q4AEZZVK5mdzZx0WjaUuzIemaQ8nitVM6LobiGnuMTD0D/fQymYuQqIj89GL5CO
fkYrBFh3bAo1aKepah0tvDs4uOhu5I3W6d+dfcWW7RNWG2NeHF9fvNYdkMNvo14h
WRT45dTibcp1oToUeiM7OjZWaPOy1NFus0uex6ljqwwy33YBSrYTZcrXzVPnuafg
uQ==
=663e
-----END PGP PUBLIC KEY BLOCK-----

Ratings/Rewards

Ratings

For the initial prioritization/rating of findings (with a few exceptions), this program will use the Bugcrowd Vulnerability Rating Taxonomy.

However, it is essential to note that in some cases, a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded.

Rewards

At present, we can only offer non-cash rewards, including:

  • A gift card from Amazon (www.amazon.com)

Only the first report we receive about a given vulnerability will be rewarded. We cannot send rewards where prohibited by law.

Residents in U.S. sanctioned countries (Cuba, Iran, Sudan, Syria, and North Korea) are ineligible.

PriorityReward
P1100 US Dollars via Amazon Gift Card
P250 US Dollars via Amazon Gift Card
P325 US Dollars via Amazon Gift Card

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Questions

If you have any questions about our VDP, please contact [email protected].