BlueJeans takes the security, integrity, availability of the service, and the privacy of our users seriously. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a fundamental belief at BlueJeans. Every day new security issues and attack vectors are created. BlueJeans strives to keep abreast of the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.
Rules of engagement:
We are interested in hearing about security issues in production BlueJeans sites and our client software applications. These in-scope, production assets have been listed below under 'Targets'. That said, there are some things we explicitly ask you not to do:
- Do not run automated scans without checking with us first. They are often very noisy.
- If running any automated testing tools, be sure to keep well under 100 requests per second - otherwise you're likely to get locked out.
- Do not test the physical security of BlueJeans offices, employees, equipment, etc.
- Do not test using social engineering techniques (phishing, vishing, etc.)
- Do not perform DoS or DDoS attacks.
- In any way attack our end users, or engage in the trade of stolen user credentials.
- In any way disrupt our customers
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.
This is a kudos-only program. No monetary rewards will be provided for submissions, but we will be forever grateful and appreciative of your work in making BlueJeans and the internet more secure!
Out of scope
Any domain/property of BlueJeans Network not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
BlueJeans Products & Services:
The BlueJeans product line includes BlueJeans Meetings, BlueJeans Events, and BlueJeans Rooms. There is also an E-commerce application that is used by prospects to purchase BlueJeans services.
BlueJeans Meetings Collaborate from anywhere on any device with online meetings.
- Meeting Moderators
- Meeting Attendees
- Enterprise Administrator: This is a special role that is given to trusted users in your enterprise. This role has the highest privileges from an enterprise perspective.
How to access:
- You will access the BlueJeans service using trial accounts and unauthenticated guests.
- Please create a BlueJeans trial account on your own using your @bugcrowdninja.com email address. Your '@bugcrowdninja.com' email address is your email@example.com. All emails will go to the email address associated with your account. You will need to activate your account by confirming receipt of the activation email.
- Doing the above will create a free trial enterprise for you.
- For testing from the paid enterprise perspective with all features enabled, please send your @bugcrowdninja.com email address to firstname.lastname@example.org and we will add that to a paid enterprise account.
BlueJeans Events Host and manage live interactive events for large audiences around the world
- This feature needs to be enabled on your account. Please send your @bugcrowdninja.com email address to email@example.com and we will enable the Events feature for you. You can access event via events page.
- Please test the API’s provided in the API Documentation
- API Documentation: Here
E-commerce Application - This is used mainly by SMB customers for purchasing BlueJeans services.
How to access:
- Geo-Fencing is enabled and the ‘Buy Now’ feature is accessible only from non-APAC region IP addresses.
BlueJeans Mac & Windows Desktop Client
- Test with our current desktop client
- The new desktop client can be downloaded as https://bluejeans.com/<meeting id>/blue
- Or dowload the desktop client from here: https://www.bluejeans.com/downloads
BlueJeans Browser-based Web Meeting Clients
- Frome Chrome, Safari, Firefox and Opera launch the meeting using the url: https://bluejeans.com/<meeting id>/webrtc
BlueJeans Mobile Clients
- From iOS and Android, launch the meeting as: https://bluejeans.com/<meeting id>. Bluejeans app will download. Install and run it.
All services can be accessed via https://www.bluejeans.com/ and https://bluejeans.com/
- NOTE: Once a vulnerability is found please file a submission immediately. Our security team will investigate and assess the impact.
- The BlueJeans services BlueJeans Meetings and BlueJeans Events are mostly a single-page web application and client-based video conferencing solution. BlueJeans is interested in any vulnerabilities that can be used to gain access to another BlueJeans service user's account and meeting video recordings.
- BlueJeans Events is our events service and can be accessed via the events tab once logged in.
- Static is CDN for static content only.
- API is used by non-web clients such as the desktop app and mobile apps.
- If you want to test the enterprise API, contact us at firstname.lastname@example.org. Give us your BlueJeans Account and the BugCrowd researcher ID and request Enterprise API access and the documentation.
- NOTE: Network Level DDoS/DoS attacks are forbidden.
- Application volumetric DDoS/DoS attacks are forbidden, if you find a request that takes too long to answer report it, please do not try to DoS the service.**
- Interacting with real customers or real customer accounts is forbidden.
To prevent being locked out please throttle automated testing under 100 requests per second