At Jet.com we greatly value the security of our site and resources, and the community of security researchers that help keep us safe. We appreciate everyone who looks at our site, and especially those who make us aware of issues and help us to fix them.
We award kudos nearly immediately after a submission (If it is accepted), and will move states around without awarding $$$ first. DO NOT BE ALARMED! You will get your award! We do this so we can be as quick and accurate with our rewards as possible.
This program does not allow public disclosure.
Last updated 6 Sep 2019 20:39:14 UTC
Technical severity | Reward range
p1 Critical | $8,000 - $15,000
p2 Severe | $3,000 - $8,000
p3 Moderate | $500 - $3,000
p4 Low | $100 - $500
P5 submissions do not receive any rewards for this program.
Target name | Type
*.jet.com | Other
Android application -
iOS application - https://itunes.apple.com/us/app/jet-smartest-way-to-shop-
save/id950022424?mt=8 | iOS
*.notjet.net | Other
JET.com API | API
github.com/jet/* repos that have security.md file defined | Other
merchant.notjet.net | Other
<https://batman-api.notjet.net/swagger> | API
This program adheres to theBugcrowd Vulnerability Rating Taxonomy for the rating/prioritization of findings.
Please note that for .jet.com, any part of .jet.com that is not explicitly mentioned in the out of scope section, is in scope; however, please ensure that you review the out-of-scope section, so as to ensure that you're only testing on hosts that are in scope. Thanks!
If you believe you have got access to an internal machine or network, do not try to exploit it further and do not try to access internal or customer data, but notify us about it straight away. Please do not perform any DoS attacks.
Please note that repos that do not have a security.md file defined are not in scope.
Site/Addres | Why
Jet.com | Notjet.net is the same exact app just made for testing!
Partner.jet.com | Merchant.notjet.net is the same exact app just made for testing!
Developer.jet.com | 3rd Party Service
Email.jet.com | 3rd Party Service
Email.notjet.net | 3rd Party Service
Go.jet.com | 3rd Party Service
Numbers.jet.com | 3rd Party Service
Numbers.notjet.net | 3rd Party Service
Clicks.jet.com | 3rd Party Service
Horizon.jet.com | 3rd Party Service
Swagstore.jet.com | 3rd Party Service
Partnerstatus.jet.com | 3rd Party Service
Pipeline.jet.com | 3rd Party Service
Staging-ap.jet.com | Testing environment
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a submission.
|Scope Type||Scope Name|
Android application - https://play.google.com/store/apps/details?id=com.jet.jet.app&hl;=en
iOS application - https://itunes.apple.com/us/app/jet-smartest-way-to-shop- save/id950022424?mt=8
github.com/jet/* repos that have security.md file defined
The progam has been crawled by Firebounty on 2015-06-30 and updated on 2019-10-22, 234 reports have been received so far.