|Scope Type||Scope Name|
|android_application||Android application - https://play.google.com/store/apps/details?id=com.jet.jet.app&hl=en|
|ios_application||iOS application - https://itunes.apple.com/us/app/jet-smartest-way-to-shop-save/id950022424?mt=8|
|other||github.com/jet/* repos that have security.md file defined|
At Jet.com we greatly value the security of our site and resources, and the community of security researchers that help keep us safe. We appreciate everyone who looks at our site, and especially those who make us aware of issues and help us to fix them.
We award kudos nearly immediately after a submission (If it is accepted), and will move states around without awarding $$$ first. DO NOT BE ALARMED! You will get your award! We do this so we can be as quick and accurate with our rewards as possible.
This program does not allow public disclosure.
Questions, comments, or suggestions? Reach out to us at security['at']jet.com
Target name | Type
*.jet.com | Other
Android application -
iOS application - https://itunes.apple.com/us/app/jet-smartest-way-to-shop-
save/id950022424?mt=8 | iOS
*.notjet.net | Other
JET.com API | API
github.com/jet/* repos that have security.md file defined | Other
merchant.notjet.net | Other
<https://batman-api.notjet.net/swagger> | API
Please note that for .jet.com, any part of .jet.com that is not explicitly mentioned in the out of scope section, is in scope; however, please ensure that you review the out-of-scope section, so as to ensure that you're only testing on hosts that are in scope. Thanks!
If you believe you have got access to an internal machine or network, do not try to exploit it further and do not try to access internal or customer data, but notify us about it straight away. Please do not perform any DoS attacks.
Specific things we like giving lots of money for:
Type | Payout
Significant XSS | $1,000 - $5,000
Authentication Bypass | Up to $15,000
Vert/Horizontal Privilege Escalation | $3,000 - $10,000
Significant Data Exposure | Up to $10,000
Shell/RCE | $5,000 - $15,000
Severity | Payout
P1 | $8,000 - $15,000
P2 | $3,000 - $8,000
P3 | $500 - $3,000
P4 | $100 - $500
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the rating/prioritization of findings.
Please note that repos that do not have a security.md file defined are not in scope.
Site/Addres | Why
Jet.com | Notjet.net is the same exact app just made for testing!
Partner.jet.com | Merchant.notjet.net is the same exact app just made for testing!
Developer.jet.com | 3rd Party Service
Email.jet.com | 3rd Party Service
Email.notjet.net | 3rd Party Service
Go.jet.com | 3rd Party Service
Numbers.jet.com | 3rd Party Service
Numbers.notjet.net | 3rd Party Service
Clicks.jet.com | 3rd Party Service
Horizon.jet.com | 3rd Party Service
Swagstore.jet.com | 3rd Party Service
Partnerstatus.jet.com | 3rd Party Service
Pipeline.jet.com | 3rd Party Service
Staging-ap.jet.com | Testing environment
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a submission.