Banner object (1)

Hack and Take the Cash !

655 bounties in database
29/05/2018

Blue Jeans Network

BlueJeans takes the security , integrity, availability of the service, and the privacy of our users seriously. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a fundamental belief at BlueJeans. Every day new security issues and attack vectors are created. BlueJeans strives to keep abreast of the latest state-of- the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

Rules of engagement:

We are interested in hearing about security issues in production BlueJeans sites and our client software applications. These in-scope, production assets have been listed below under 'Targets'. That said, there are some things we explicitly ask you not to do:

  • Do not run automated scans without checking with us first. They are often very noisy.
    • If running any automated testing tools, be sure to keep well under 100 requests per second - otherwise you're likely to get locked out.
  • Do not test the physical security of BlueJeans offices, employees, equipment, etc.
  • Do not test using social engineering techniques (phishing, vishing, etc.)
  • Do not perform DoS or DDoS attacks.
  • In any way attack our end users, or engage in the trade of stolen user credentials.
  • In any way disrupt our customers

This program adheres to theBugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

This is a kudos-only program. No monetary rewards will be provided for submissions, but we will be forever grateful and appreciative of your work in making BlueJeans and the internet more secure!

This program only awards points for submissions.

Targets

In scope

Target name | Type
---|---
<https://bluejeans.com/> | Website
<https://api.bluejeans.com/> | API
<https://a2m.bluejeans.com> | Website
<https://huddle.bluejeans.com> | Other
<https://primetime.bluejeans.com> | Website
<https://static.bluejeans.com/> | Other
<https://www.bluejeans.com/> | Website
BlueJeans Android Application | Android
BlueJeans iOS Application | iOS
BlueJeans Mac Client | Other
BlueJeans Windows Client | Other
BlueJeans Browser-based Web Meeting Clients | Other

Out of scope

Target name | Type
---|---
<https://a.bluejeans.com/> | Website
<https://community.bluejeans.com> | Website
<https://hub.bluejeans.com> | Website
<https://www-a.bluejeans.com/> | Website
<https://www-dev.bluejeans.com/> | Website

Any domain/property of BlueJeans Network not listed in the targets section is out of scope. This includes any/all subdomains not listed above.


BlueJeans Products & Services:

The BlueJeans product line includes BlueJeans Meetings, BlueJeans Events, and BlueJeans Rooms. There is also an E-commerce application that is used by prospects to purchase BlueJeans services.

BlueJeans Meetings Collaborate from anywhere on any device with online meetings.
Supported Roles:

  • Meeting Moderators
  • Meeting Attendees
  • Enterprise Administrator: This is a special role that is given to trusted users in your enterprise. This role has the highest privileges from an enterprise perspective.

How to access:

  • You will access the BlueJeans service using trial accounts and unauthenticated guests.
  • Please create a BlueJeans trial account on your own using your @bugcrowdninja.com email address. Your '@bugcrowdninja.com' email address is your username@bugcrowdninja.com. All emails will go to the email address associated with your account. You will need to activate your account by confirming receipt of the activation email.
  • Doing the above will create a free trial enterprise for you.
  • For testing from the paid enterprise perspective with all features enabled, please send your @bugcrowdninja.com email address to bugcrowd@bluejeans.com and we will add that to a paid enterprise account.

BlueJeans Events Host and manage live interactive events for large audiences around the world
Supported Roles:

  • Moderator
  • Presenter
  • Attendee
    • This feature needs to be enabled on your account. Please send your @bugcrowdninja.com email address to bugcrowd@bluejeans.com and we will enable the Events feature for you. You can access event viaevents page.

BlueJeans Rooms Make any room a video conference room that is easy to use and manage. video conferencing

  • Please test the API’s provided in the API Documentation
    • API Documentation : Here

E-commerce Application - This is used mainly by SMB customers for purchasing BlueJeans services.
How to access:

  • Geo-Fencing is enabled and the ‘Buy Now’ feature is accessible only from non-APAC region IP addresses.
  • https://store.bluejeans.com

BlueJeans Mac & Windows Desktop Client

  • Test with our current desktop client
  • The new desktop client can be downloaded as https://bluejeans.com//blue
  • Or dowload the desktop client from here: https://www.bluejeans.com/downloads

BlueJeans Browser-based Web Meeting Clients

  • Frome Chrome, Safari, Firefox and Opera launch the meeting using the url: https://bluejeans.com//webrtc

BlueJeans Mobile Clients

  • From iOS and Android, launch the meeting as: https://bluejeans.com/. Bluejeans app will download. Install and run it.

All services can be accessed via https://www.bluejeans.com/ and https://bluejeans.com/

  • NOTE: Once a vulnerability is found please file a submission immediately. Our security team will investigate and assess the impact.

Focus Areas:

  • The BlueJeans services BlueJeans Meetings and BlueJeans Events are mostly a single-page web application and client-based video conferencing solution. BlueJeans is interested in any vulnerabilities that can be used to gain access to another BlueJeans service user's account and meeting video recordings.

In-Scope Details:

  • BlueJeans Events is our events service and can be accessed via the events tab once logged in.
  • Static is CDN for static content only.
  • API is used by non-web clients such as the desktop app and mobile apps.
    • If you want to test the enterprise API, contact us at bugcrowd@bluejeans.com. Give us your BlueJeans Account and the BugCrowd researcher ID and request Enterprise API access and the documentation.

Out-of-Scope:

  • NOTE: Network Level DDoS/DoS attacks are forbidden.
  • Application volumetric DDoS/DoS attacks are forbidden, if you find a request that takes too long to answer report it, please do not try to DoS the service.**
  • Interacting with real customers or real customer accounts is forbidden.

To prevent being locked out please throttle automated testing under 100 requests per second

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2018