Jumkey Bug Bounty Program
Jumkey is commited to improving security for its users. We reward reporters for the responsible
disclosure of in-scope issues and exploitation techniques.
If you discover a bug, we appreciate your cooperation in responsibly investigating
and reporting it to us so that we can address it as soon as possible.
Jumkey Bug Bounty Program offers bounties for security software bugs which meet the following criteria.
- The bug has a direct security impact and falls under one of our Vulnerability Categories below
- Rewards can only be credited to your wallet and KYC is mandatory.
- The minimum reward for eligible bugs is 1000 INR, Bounty amounts are not negotiable.
- 1 valid bug equals 1 reward.
- Multiple reports over time can be eligible for Hall of Fame or a digital certificate.
- We may also consider to give a job offer contract to work in-house or remotely.
In situations where a bug does not warrant a bounty, we may issue a digital certificate. Our certification process is multi-leveled:
Our Hall of Fame page recognizes the contributions of reporters who have demonstrated a high level of dedication to our program.
Acceptance requires multiple valid reports and remains at the discretion of our team.
- Be the first to report the issue to us.
- Must pertain to an item explicitly listed under Vulnerability Categories.
- Must contain sufficient information including a proof of concept screenshot, video, or code snippet where needed.
- You agree to participate in testing the effectiveness of the countermeasure applied to your report.
- You agree to keep any communication with Jumkey private.
|1.||Cross-Site Request Forgery **||On sensitive actions|
|2.||Cross-Site Scripting **||Self-XSS is out of scope|
|3.||Open Redirects **||Which allow stealing secrets/tokens|
|5.||Server Side Request Forgery|
|7.||Local File Inclusion|
|8.||Remote File Inclusion|
|9.||Leakage of Sensitive Data|
|13.||Remote Code Execution|
We will pay significantly (4 times) more for vulnerabilities which would ultimately result in data leakages, authentication bypasses, code execution or payment manipulations.
- Don't violate the privacy of other users, destroy data, disrupt our services, etc.
- Don't request updates on an hourly basis. We are handling dozens of reports daily and spam impacts Jumkey's Bug Bounty Program efficiency.
- Only target your own accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the accounts of other users without the express permission of our team.
- Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
- In case you find a severe vulnerability that allows system access, you must not proceed further.
- It is Jumkey's decision to determine when and how bugs should be addressed and fixed.
- Disclosing bugs to a party other than Jumkey is forbidden, all bug reports are to remain at the reporter and Jumkey discretion.
- Threatening of any kind will automatically disqualify you from participating in the program.
- Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify the report.
- Bug disclosure communications with Jumkey Security Team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.
Reporting of Bugs
All communication on email only. As we can forward to concerned teams.
Please send an email to firstname.lastname@example.org,
Our chief's will check and get back to you as soon as possible.
- Be cordial, be clear, concise in the email about the bug details.
- Please keep it confidential.
- Please attach screenshots or videos recordings or POC, so we can reproduce the same bugs and check at our side.