Jumbo Privacy invites you to test their iOS and Android App. Good luck and happy hunting!
This section is meant to give an overview of the current architecture.
It is our intention to keep this up-to-date, but due to the nature of development, changes may have been introduced that are not reflected here.
The Jumbo app allows a user to connect a choice of services. The app then scans these services for settings which we deem to be privacy issues. The user can select which settings they want to change, which the app does on behalf of the user.
Further, we offer the user an option to enable "auto-delete" functionality for certain data items. We make use of various background APIs, which the app uses to run periodic audits, as well as delete any data items as a result of the user having enabled "auto-delete."
We accomplish this by presenting a WKWebView to the user, where the user is first prompted to log into the chosen service.
For operations regarding that service, we use such a WKWebView instance to initiate operations on the user's behalf, utilizing the authenticated session (via the service's cookie.)
The operations are controlled (scheduled) from the iOS native app, and their return value (in the form of a sent message) is interpreted by the iOS app as well.
Some state regarding this (e.g. whether the user has set up a service) is persisted via the native app.
For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Last updated 24 Jun 2020 16:48:37 UTC
Technical severity | Reward range
p1 Critical | $4,100 - $4,500
p2 Severe | $1,500 - $1,750
p3 Moderate | $600 - $850
p4 Low | $200 - $250
P5 submissions do not receive any rewards for this program.
Target name | Type
JumboPrivacy iOS Application | iOS
JumboPrivacy Android Application | Android
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Jumbo Privacy not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to email@example.com before submitting.
Application is available directly from the Apple Store and Play Store.
Jumbo Privacy will give special consideration to vulnerabilities which lead to extraction of user data on a wide-scale. Submissions in this category if they meet the below specifications could be eligible for a $20,000 bounty. The guidelines for consideration for this reward are as follows:
Vulnerabilities exclusively affecting the services with which we interact are out of scope and should be reported to the affected service provider.
A combination of a vulnerability of one of these services AND an implementation detail (or bug) within the Jumbo app lead to a vulnerability, we consider this to be in scope. However, our reward will be a function of whether the eventual vulnerability is primarily a result of the implementation details of Jumbo, or the service in question.
Jumbo asks candidates who apply for employment to submit technical work. Some candidates choose to publish this work (e.g. on their personal github.) Work unrelated to targets in this program such as this is explicitly out-of-scope.
When conducting vulnerability research according to this policy, we consider this research to be:
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via firstname.lastname@example.org before going any further.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
|Scope Type||Scope Name|
JumboPrivacy Android Application
JumboPrivacy iOS Application
This program have been found on Bugcrowd on 2020-06-24.