We are interested in findings related to design or implementation issues that can be reproduced and have a security related impact on both Jet.com’s network and its users.
Examples of findings that would be valuable for us to know about include:
● Stored XSS
● Privilege Escalation
● SQL Injection
● Any other type of interesting security vulnerability that we do not explicitly exclude in these guidelines
Please make note of our revised program rules. In particular, we have increased our reward range and have added our mobile applications to the bug bounty scope.
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the rating/prioritization of findings.
Please Note: Mobile rewards will be rewarded with an additional 25% bonus.
- iOS application - https://itunes.apple.com/us/app/jet-smartest-way-to-shop-save/id950022424?mt=8
- Android application - https://play.google.com/store/apps/details?id=com.jet.jet.app&hl=en
- Any part of *.jet.com that is not explicitly mentioned in the out of scope section
Out of scope
- Third party hosted services with a Jet subdomain:
- Physical security of Jet buildings. Please do not attempt to sneak into our premises either secretly or by using social engineering.
- Any subsidiaries, parents, affiliates are not in scope unless explicitly mentioned in the in scope section.
- Outdated software versions are subject to a 72-hour blackout period to grant time for internal patching and testing (for instance, issues resulting from a 0day, etc). Rewards will not be given for outdated software versions reported during this period.
- Any global scope security defects in the Microsoft Azure platform.
- *.qa.jet.com domains other than merchant.qa.jet.com
For jet.com: Please create an account https://jet.com/register?join
You MUST use your Bugcrowd email alias when registering for an account
- [Bugcrowd username]@bugcrowdninja.com example: email@example.com
For jet partner: Please create an account at: https://merchant.qa.jet.com/register
- You MUST use your bugcrowdninja.com email alias when registering for an account
- bugcrowd firstname.lastname@example.org
- example: email@example.com
- NOTE: Accounts will be approved within 72 hrs of request
- When creating an account, please use "bugcrowd" as the legal business name and enter 000000000 (nine zeros) as the Tax Identification Number.
A good submission will contain the following:
- Detailed steps on how the bug was found and how it can be reproduced.
- A list of any relevant URLs or applications affected by the vulnerability.
- Relevant screenshots or text files. As per Bugcrowd guidelines, please do not submit any videos to 3rd party websites. You are free to upload them ONLY via the bugcrowd submission form.
- The impact of the issue. How does the vulnerability affect Jet.com or Jet.com users?
- A description of a proof of concept attack with which an attacker could exploit the vulnerability.
- A suggested solution to the vulnerability, if possible.
While we greatly appreciate your assistance in finding bugs, we ask that you respect the following rules:
- Please do not perform DoS or DDOS attacks.
- Please do not engage in any illegal activities involving any sensitive data found, such as selling user credentials.
- Please only use accounts that you are in control of.
- Please do not send users phishing emails or use any other form of social engineering to gain access. This applies to both user accounts and employee accounts.
- Please do not test the physical security of Jet.com facilities.
- Please ask us for permission before publicly disclosing any vulnerabilities or the methodology used in finding them. Publicly disclosing a finding without our permission will result in disqualification for any reward.
- Please do not use any vulnerabilities to cause direct damage to Jet, e.g. purchasing a TV for 1 dollar due to a clear pricing error.
- Please do not test against anything that we explicitly designate as out of scope.
- Please do not knowingly send Jet.com employees or users malware as a part of testing.
- You must be the first researcher to submit a finding to receive a reward. Duplicate submissions will result in reduced points and no monetary reward. We will review all duplicate submissions for additional information, but in general only the first submitter will receive a reward.
- Please do not directly contact our Customer Support or any Jet.com employee regarding the status of a submission. This will result in automatic disqualification for any reward, regardless of severity. Please keep all communication within the Bugcrowd program. Fixing certain bugs can take time. Please do not repeatedly send messages inquiring about the status of a specific finding.
- Please verify your issues before submitting anything. We will not give a reward for false positives. Copy and pasted output of low impact issues from automated scanners without validation or an explanation of the impact of the issue will not result in a reward.
|P1||$8,000 - $15,000|
|P2||$3,000 - $8,000|
|P3||$500 - $3,000|
|P4||$100 - $500|
The following findings will generally receive no reward:
- Attacks requiring users to run out of date software, e.g. unsupported browser version, old mobile app versions, etc.
- Attacks requiring compromise of a victim user’s email account
- Self induced browser cache issues
- Claims that randomly generated values such as session IDs are predictable without substantial proof.
- Lack of password/email verification upon registration
- Lack of binary obfuscation
- Non-sensitive token or 3rd party public API key disclosure
- Security weaknesses found in 3rd party dependencies in the mobile applications unless sensitive data is leaked from them
- Lack of notification for not verifying the current version of the mobile applications
- Lack of mobile app specific PIN
- Mobile application snapshot enabled
- Non-sensitive data being leaked via mobile application clipboard
- Non-sensitive data cached by mobile keyboards
- Lack of root/jailbreak detection
- Lack of code obfuscation
- Insecure compiler settings such as byte code minification, PIE, stack protection, and ARC
- Lack of account lockout or rate limiting
- Lack of session token invalidation after user logout
- Session termination after a period of inactivity
- Lack of 2-factor authentication
- Bypass of certificate pinning on mobile applications
- Runtime manipulation/hooking
- Crashes due to malicious intents or URL schemes