At JFrog, we are committed to ensuring the safety and security of our customers. We
care deeply about protecting our customers’ and employees’ data and assets, as well
as designing and testing our products.
As part of this, we encourage security researchers to put our security to the test - and
we offer a variety of rewards for doing so. We look forward to continuing to work with
the community as we add new features and services.
| Type of Response | SLA in business days |
| ------------- | ------------- |
| First Response | 2 days |
| Time to Triage | 2 days |
| Time to Resolution | depends on severity and complexity |
When creating accounts, sending emails or submitting forms, please only use YOUR_H1_USER@wearehackerone.com email, so we can identify you accordingly.
Automated testing is not permitted.
Do not comment or create Jira tickets.
Follow HackerOne’s Disclosure Guidelines.
Test only with your account when investigating bugs, and do not interact with other accounts without their owners' consent to avoid GDPR violations.
You must be the first person to report the issue to us. We will review duplicate bugs to see if they provide additional information, but otherwise only reward the first reporter.
Contacting our security team about the status of a HackerOne report will result in an immediate disqualification for a reputation for that report.
Please do not generate multiple instances of JFrog cloud instances.
Please do not cause potential or actual damage to JFrog Customers including users, systems, or applications.
The following bugs are unlikely to be eligible for a bounty:
CSV Injection
Issues found through automated testing, "Scanner output" or scanner-generated reports
Publicly released bugs in internet software within 3 days of their disclosure
"Advisory" or "Informational" reports that do not include any JFrog-specific testing or context
Security bugs in www.jfrog.com - this site runs on WordPress, if you find vulnerabilities in the WordPress service, please report your findings at WordPress BBP
Security bugs in third-party applications or services built on the Jfrog API - please report them to the third party that built the application or service
Vulnerabilities requiring physical access to the victim’s unlocked device
Denial of Service attacks
Brute Force attacks
Spam or Social Engineering techniques, including:
SPF and DKIM issues
Content injection
Hyperlink injection in emails
IDN homograph attacks
RTL Ambiguity
Content Spoofing (aka HTML Injection)
Issues relating to Password Policy
Full-Path Disclosure on any property
Version number information disclosure
Clickjacking
CSRF-able actions that do not require authentication (or a session) to exploit
Lack of Rate Limiting / Captcha (forms)
Reports related to the following security-related headers:
Strict Transport Security (HSTS)
XSS mitigation headers (X-Content-Type and X-XSS-Protection)
X-Content-Type-Options
Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
Any missing security best practice Testing notes
Any activities conducted in a manner consistent with this policy will be considered
authorized conduct and we will not initiate legal action against you. If legal action is
initiated by a third party against you in connection with activities conducted under this
policy, we will take steps to make it known that your actions were conducted in
compliance with this policy.
Scope Type | Scope Name |
---|---|
web_application | *.jfrog.com |
web_application | *.jfrog.org |
web_application | www.jfrog.com |
web_application | www.jfrog.com/confluence |
web_application | www.jfrog.com/jira |
web_application | conan.io |
web_application | www.jfrog.co.jp |
web_application | www.jfrogchina.com |
Scope Type | Scope Name |
---|---|
web_application | my.jfrog.com |
web_application | INSTANCE.jfrog.io |
web_application | https://jfrog.com/artifactory/start-free/#hosted |
web_application | connect.jfrog.io |
This program crawled on the 2021-09-29 is sorted as bounty.
FireBounty © 2015-2024