BlueJeans takes the security , integrity, availability of the service, and
the privacy of our users seriously. We appreciate all security concerns
brought forth and are constantly striving to keep on top of the latest
threats. Being proactive rather than reactive to emerging security issues is a
fundamental belief at BlueJeans. Every day new security issues and attack
vectors are created. BlueJeans strives to keep abreast of the latest state-of-
the-art security developments by working with security researchers and
companies. We appreciate the community's efforts in creating a more secure
Rules of engagement:
We are interested in hearing about security issues in production BlueJeans
sites and our client software applications. These in-scope, production assets
have been listed below under 'Targets'. That said, there are some things we
explicitly ask you not to do:
- Do not run automated scans without checking with us first. They are often very noisy.
- If running any automated testing tools, be sure to keep well under 100 requests per second - otherwise you're likely to get locked out.
- Do not test the physical security of BlueJeans offices, employees, equipment, etc.
- Do not test using social engineering techniques (phishing, vishing, etc.)
- Do not perform DoS or DDoS attacks.
- In any way attack our end users, or engage in the trade of stolen user credentials.
- In any way disrupt our customers
This program adheres to theBugcrowd Vulnerability Rating
Taxonomy for the
prioritization/rating of findings.
This is a kudos-only program. No monetary rewards will be provided for
submissions, but we will be forever grateful and appreciative of your work in
making BlueJeans and the internet more secure!
This program only awards points for submissions.
Target name | Type
<https://bluejeans.com/> | Website
<https://api.bluejeans.com/> | API
<https://a2m.bluejeans.com> | Website
<https://huddle.bluejeans.com> | Other
<https://primetime.bluejeans.com> | Website
<https://static.bluejeans.com/> | Other
<https://www.bluejeans.com/> | Website
BlueJeans Android Application | Android
BlueJeans iOS Application | iOS
BlueJeans Mac Client | Other
BlueJeans Windows Client | Other
BlueJeans Browser-based Web Meeting Clients | Other
Out of scope
Target name | Type
<https://a.bluejeans.com/> | Website
<https://community.bluejeans.com> | Website
<https://hub.bluejeans.com> | Website
<https://www-a.bluejeans.com/> | Website
<https://www-dev.bluejeans.com/> | Website
Any domain/property of BlueJeans Network not listed in the targets section is
out of scope. This includes any/all subdomains not listed above.
BlueJeans Products & Services:
The BlueJeans product line includes BlueJeans Meetings, BlueJeans Events, and
BlueJeans Rooms. There is also an E-commerce application that is used by
prospects to purchase BlueJeans services.
Collaborate from anywhere on any device with online meetings.
- Meeting Moderators
- Meeting Attendees
- Enterprise Administrator: This is a special role that is given to trusted users in your enterprise. This role has the highest privileges from an enterprise perspective.
How to access:
- You will access the BlueJeans service using trial accounts and unauthenticated guests.
- Please create a BlueJeans trial account on your own using your @bugcrowdninja.com email address. Your '@bugcrowdninja.com' email address is your firstname.lastname@example.org. All emails will go to the email address associated with your account. You will need to activate your account by confirming receipt of the activation email.
- Doing the above will create a free trial enterprise for you.
- For testing from the paid enterprise perspective with all features enabled, please send your @bugcrowdninja.com email address to email@example.com and we will add that to a paid enterprise account.
BlueJeans Events Host and
manage live interactive events for large audiences around the world
- This feature needs to be enabled on your account. Please send your @bugcrowdninja.com email address to firstname.lastname@example.org and we will enable the Events feature for you. You can access event viaevents page.
BlueJeans Rooms Make any room
a video conference room that is easy to use and manage. video
- Please test the API’s provided in the API Documentation
E-commerce Application - This is used mainly by SMB customers for
purchasing BlueJeans services.
How to access:
- Geo-Fencing is enabled and the ‘Buy Now’ feature is accessible only from non-APAC region IP addresses.
BlueJeans Mac & Windows Desktop Client
- Test with our current desktop client
- The new desktop client can be downloaded as https://bluejeans.com//blue
- Or dowload the desktop client from here: https://www.bluejeans.com/downloads
BlueJeans Browser-based Web Meeting Clients
- Frome Chrome, Safari, Firefox and Opera launch the meeting using the url: https://bluejeans.com//webrtc
BlueJeans Mobile Clients
- From iOS and Android, launch the meeting as: https://bluejeans.com/. Bluejeans app will download. Install and run it.
All services can be accessed via https://www.bluejeans.com/ and
- NOTE: Once a vulnerability is found please file a submission immediately. Our security team will investigate and assess the impact.
- The BlueJeans services BlueJeans Meetings and BlueJeans Events are mostly a single-page web application and client-based video conferencing solution. BlueJeans is interested in any vulnerabilities that can be used to gain access to another BlueJeans service user's account and meeting video recordings.
- BlueJeans Events is our events service and can be accessed via the events tab once logged in.
- Static is CDN for static content only.
- API is used by non-web clients such as the desktop app and mobile apps.
- If you want to test the enterprise API, contact us at email@example.com. Give us your BlueJeans Account and the BugCrowd researcher ID and request Enterprise API access and the documentation.
- NOTE: Network Level DDoS/DoS attacks are forbidden.
- Application volumetric DDoS/DoS attacks are forbidden, if you find a request that takes too long to answer report it, please do not try to DoS the service.**
- Interacting with real customers or real customer accounts is forbidden.
To prevent being locked out please throttle automated testing under 100
requests per second
This program follows Bugcrowd’s standard disclosure
This program does not offer financial or point-based rewards for P5 —
Informational findings. Learn more about Bugcrowd’s VRT.