At JFrog, we are committed to ensuring the safety and security of our customers. We

care deeply about protecting our customers’ and employees’ data and assets, as well

as designing and testing our products.

As part of this, we encourage security researchers to put our security to the test - and

we offer a variety of rewards for doing so. We look forward to continuing to work with

the community as we add new features and services.

| Type of Response | SLA in business days |

| ------------- | ------------- |

| First Response | 2 days |

| Time to Triage | 2 days |

| Time to Resolution | depends on severity and complexity |

Program Rules

• When creating accounts, sending emails or submitting forms, please only use YOUR_H1_USER@wearehackerone.com email, so we can identify you accordingly.

• Automated testing is not permitted.

• Do not comment or create Jira tickets.

• Follow HackerOne’s Disclosure Guidelines.

• Test only with your account when investigating bugs, and do not interact with other accounts without their owners' consent to avoid GDPR violations.

• You must be the first person to report the issue to us. We will review duplicate bugs to see if they provide additional information, but otherwise only reward the first reporter.

• Contacting our security team about the status of a HackerOne report will result in an immediate disqualification for a reputation for that report.

• Please do not generate multiple instances of JFrog cloud instances.

• Please do not cause potential or actual damage to JFrog Customers including users, systems, or applications.

What’s Not In Scope

The following bugs are unlikely to be eligible for a bounty:

• CSV Injection

• Issues found through automated testing, "Scanner output" or scanner-generated reports

• Publicly released bugs in internet software within 3 days of their disclosure

• "Advisory" or "Informational" reports that do not include any JFrog-specific testing or context

• Security bugs in www.jfrog.com - this site runs on WordPress, if you find vulnerabilities in the WordPress service, please report your findings at WordPress BBP

• Security bugs in third-party applications or services built on the Jfrog API - please report them to the third party that built the application or service

• Vulnerabilities requiring physical access to the victim’s unlocked device

• Denial of Service attacks

• Brute Force attacks

• Spam or Social Engineering techniques, including:

• SPF and DKIM issues

• Content injection

• Hyperlink injection in emails

• IDN homograph attacks

• RTL Ambiguity

• Content Spoofing (aka HTML Injection)

• Issues relating to Password Policy

• Full-Path Disclosure on any property

• Version number information disclosure

• Clickjacking

• CSRF-able actions that do not require authentication (or a session) to exploit

• Lack of Rate Limiting / Captcha (forms)

• Reports related to the following security-related headers:

  • Strict Transport Security (HSTS)

  • XSS mitigation headers (X-Content-Type and X-XSS-Protection)

  • X-Content-Type-Options

  • Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)

• Any missing security best practice Testing notes

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered

authorized conduct and we will not initiate legal action against you. If legal action is

initiated by a third party against you in connection with activities conducted under this

policy, we will take steps to make it known that your actions were conducted in

compliance with this policy.