Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
30/06/2015
Jet.com logo
Thanks
Gift
Hall of Fame
Reward

Reward

100 $ 

Jet.com

Welcome to the Jet.com Bug Bounty!

At Jet.com we greatly value the security of our site and resources, and the community of security researchers that help keep us safe. We appreciate everyone who looks at our site, and especially those who make us aware of issues and help us to fix them.

We award kudos nearly immediately after a submission (If it is accepted), and will move states around without awarding $$$ first. DO NOT BE ALARMED! You will get your award! We do this so we can be as quick and accurate with our rewards as possible.

This program does not allow public disclosure.

Reward Range

Last updated 6 Sep 2019 20:39:14 UTC

Technical severity | Reward range
---|---
p1 Critical | $8,000 - $15,000
p2 Severe | $3,000 - $8,000
p3 Moderate | $500 - $3,000
p4 Low | $100 - $500

P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
*.jet.com | Other
Android application - https://play.google.com/store/apps/details?id=com.jet.jet.app&hl=en | Android
iOS application - https://itunes.apple.com/us/app/jet-smartest-way-to-shop- save/id950022424?mt=8 | iOS
*.notjet.net | Other
JET.com API | API
github.com/jet/* repos that have security.md file defined | Other
merchant.notjet.net | Other
<https://batman-api.notjet.net/swagger> | API

This program adheres to theBugcrowd Vulnerability Rating Taxonomy for the rating/prioritization of findings.

Please note that for .jet.com, any part of .jet.com that is not explicitly mentioned in the out of scope section, is in scope; however, please ensure that you review the out-of-scope section, so as to ensure that you're only testing on hosts that are in scope. Thanks!

If you believe you have got access to an internal machine or network, do not try to exploit it further and do not try to access internal or customer data, but notify us about it straight away. Please do not perform any DoS attacks.

Program Rules

  • Please perform all testing of our main e-commerce portal on notjet.net instead of on jet.com, which are basically the same, but notjet.net is our QA environment made for testing.
  • If you believe you have got access to an internal machine or network, please do not try to exploit it further and do not try to access internal or customer data, but notify us about it straight away.
  • Please do not perform any DoS attacks.
  • Please do not perform any Social Engineering attacks.
  • Please do not attack our users directly, but perform all testing on your own accounts.
  • Please keep in mind the out-of-scope items listed below.

Instructions

For Notjet.net (Our Main Ecommerce Site):
  • Please create an account at https://notjet.net/register?join
  • You MUST use your @bugcrowdninja.com email alias when registering for an account.
  • Bugs in open source repos located at github.com/jet, which jet.com is using under the hood, are considered as in scope too if a security.md file is defined in them. Those include:
    • https://github.com/jet/falanx
    • https://github.com/jet/equinox
    • https://github.com/jet/express-ad
    • https://github.com/jet/damon
    • https://github.com/jet/baybars
    • https://github.com/jet/XRay
    • https://github.com/jet/Jet.JsonNet.Converters
    • https://github.com/jet/CallPolly

Please note that repos that do not have a security.md file defined are not in scope.

For merchant.notjet.net (Our Merchant Portal):
  • Navigate to https://merchant.notjet.net/
  • Click "Apply now" In the top right hand corner.
  • Click either "Brand Manufacturer" or "Retailer" (Does not matter).
  • Use [your_bugcrowd_username]@bugrowdninja.com as the email.
  • Use "Bugcrowd" as the "Legal business name"
  • Use 000000000 (9 zero's) as the "Tax Identification Number"
  • Your account will be approved within 72 hrs of request!
  • API Documentation for this site can be found at developer.jet.com
    • Please keep in mind that all URLs in our documentation refer to prod URLs which need to be changed to QA URLs when testing. That means that merchant-api.jet.com needs to be changed to merchant-api.notjet.net when making API calls.
For the Jet API (http://batman-api.notjet.net/)
  • Open up postman and load in the provided collection. (https://bit.ly/2UChkR3)
  • Under the "auth" folder, you will see 4 requests
  • Make an account on notjet.net
  • Fill in your notjet.net credentials as environment varibales in postman.
  • Make all 4 requests in order.
  • In the responses you will recieve all of the toklens and keys needed to operate the API.
  • Start Testing!!! Please Check out the API Documentation at https://batman-api.notjet.net/swagger

Out of Scope Items:

Site/Addres | Why
---|---
Jet.com | Notjet.net is the same exact app just made for testing!
Partner.jet.com | Merchant.notjet.net is the same exact app just made for testing!
Developer.jet.com | 3rd Party Service
Email.jet.com | 3rd Party Service
Email.notjet.net | 3rd Party Service
Go.jet.com | 3rd Party Service
Numbers.jet.com | 3rd Party Service
Numbers.notjet.net | 3rd Party Service
Clicks.jet.com | 3rd Party Service
Horizon.jet.com | 3rd Party Service
Swagstore.jet.com | 3rd Party Service
Partnerstatus.jet.com | 3rd Party Service
Pipeline.jet.com | 3rd Party Service
Staging-ap.jet.com | Testing environment

Additional Out of Scope Items:

  • Any 3rd party services
  • Physical security of Jet buildings. Please do not attempt to sneak into our premises either secretly or by using social engineering.
  • Phishing/Social Engineering Attacks against Jet Employees.
  • Any subsidiaries, parents, affiliates are not in scope unless explicitly mentioned in the in scope section.
  • Outdated software versions are subject to a 72-hour blackout period to grant time for internal patching and testing (for instance, issues resulting from a 0day, etc). Rewards will not be given for outdated software versions reported during this period.
  • Any global scope security defects in the Microsoft Azure platform.
  • Clickjacking
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Rate Limiting Issues
  • Missing SPF on Non-Email Domain (i.e. notjet.net)
  • CSP related issues

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.

In Scope

Scope Type Scope Name
android_application

Android application - https://play.google.com/store/apps/details?id=com.jet.jet.app&hl;=en

api

JET.com API

ios_application

iOS application - https://itunes.apple.com/us/app/jet-smartest-way-to-shop- save/id950022424?mt=8

other

github.com/jet/* repos that have security.md file defined

web_application

*.jet.com

web_application

*.notjet.net

web_application

merchant.notjet.net

web_application

https://batman-api.notjet.net/swagger


The progam has been crawled by Firebounty on 2015-06-30 and updated on 2019-10-22, 234 reports have been received so far.

FireBounty © 2015-2019

Legal notices