Vulnerability Disclosure Philosophy
- Respect privacy. Make a good faith effort not to access or destroy another users data.
- Be patient. Make a good faith effort to clarify and support their reports upon request.
- Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.
A software bug that would allow an attacker to perform an action in violation of an expressed security policy. A bug that enables escalated access or privilege is a vulnerability. Design flaws and failures to adhere to security best practices may qualify as vulnerabilities. Weaknesses exploited by viruses, malicious code, and social engineering are not considered vulnerabilities
If you believe you have found a vulnerability, please submit a Report here. The Report should include a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept. If you don't explain the vulnerability in detail, there may be significant delays in the disclosure process, which is undesirable for everyone. We are use CVSS v.3 calculator on Jibres. Learn more about CVSS v3 rating
Before you start
- Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure!
- When in doubt, contact us at info [at] jibres.com.
- By participating in Jibres Bug program, you acknowledge that you have read and agree to Jibres Terms of Service.
- Your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.
- Only test for vulnerabilities on sites you know to be operated by Jibres and are in-scope. Some sites hosted on subdomains of Jibres.com are operated by third parties and should not be tested.
- Jibres reserves the right to terminate or discontinue the Program at its discretion.
- Do not publicly disclose your submission until Jibres has evaluated the impact.
Performing your research
Do not impact other users with your testing. If you are attempting to find an authorization bypass, you must use accounts you own.
The following are never allowed and are ineligible for reward. We may suspend your Jibres account and ban your IP address for
- Performing distributed denial of service (DDoS) or other volumetric attacks.
- Spamming content
- Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.
-
Note: We do allow the use of automated tools so
long as they do not produce excessive amounts of
traffic. For example, running one
nmap
scan against one host is allowed, but sending 10,000 requests in a minutes using Burp Suite Intruder is excessive.
Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules
- Research must be performed in you own account.
- Stop immediately if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, Jibres security team will be able to determine the impact.
Severity Guidelines
All submissions are rated by Jibres using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions. Currently, we only have a bounty for high and critical bugs.
Vital severity issue is a disaster. You choose about life or death and you have access to control everything.
Critical severity issues present a direct and immediate risk to a broad array of our users or to Jibres itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure.
High severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access.
Medium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues.
Low severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker.
Submit Vulnerability Report
All technology contains bugs. If you've found a security vulnerability, we'd like to help out. By submitting a vulnerability to a program on Jibres. The proof of concept is the most important part of your report submission. Clear, reproducible steps will help us validate this issue as quickly as possible.