Program stats

198 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$1,076.30 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Welcome to the Jet.com Bug Bounty!

The BRAND NEW piece of scope here is the Jet API! please check out the instructions below on how to access it!

At Jet.com we greatly value the security of our site and resources, and the community of security researches that helps keep us safe. We appreciate everyone who looks at our site, and especially those who make us aware of issues and help us to fix them.

We award kudos nearly immediately after a submission (If it is accepted), and will move states around without awarding $$$ first. DO NOT BE ALARMED! You will get your award! We do this so we can be as quick and accurate with our rewards as possible.

At Jet.com, We support the open publication of security research. Please ask Jet before publication so that we can give permission and coordinate with you. This bounty requires explicit permission to disclose the results of a submission.

Questions, comments, or suggestions? Reach out to us at bugbounty['at']jet.com

Web Application Vulns

We are looking for vulnerabilities in the below publicly facing web applications. That includes most anything that could potentially impact that site or its users. This is straightforward and very open when it comes to scope for the type of vulnerability, but please refer to the targets page to see exactly what is in scope. Our Bug Bounty has been open for some time, so **automated tools will generally not produce results.**

Instructions

For Notjet.net (Our Main Ecommerce Site):
  • Please create an account at https://notjet.net/register?join
  • You MUST use your Bugcrowd email alias when registering for an account.
  • Ex: [Bugcrowd Username}@bugcrowdninja.com
  • Some useful information can be found here - https://notjet.net/debug
For merchant.qa.notjet.net (Our Merchant Portal):
  • Navigate to https://merchant.qa.notjet.net/
  • Click "Apply now" In the top right hand corner.
  • Click either "Brand Manufacturer" or "Retailer" (Does not matter).
  • Use [your_bugcrowd_username]@bugrowdninja.com as the email.
  • Use "Bugcrowd" as the "Legal business name"
  • Use 000000000 (9 zero's) as the "Tax Identification Number"
  • Your account will be approved within 72 hrs of request!
  • API Documentation for this site can be found at developer.jet.com
    • Remember to change all partner.jet.com URL's to merchant.qa.notjet.net in the API calls.
For the Jet API (http://phased-batman-webapi-web.nomad.eastus2.qa.notjet.net/)
  • Open up postman and load in the provided collection. (https://goo.gl/wxWikC)
  • Under the "auth" folder, you will see 4 requests
  • Make an account on notjet.net
  • Fill in your notjet.net credentials as environment varibales in postman.
  • Make all 4 requests in order.
  • In the responses you will recieve all of the toklens and keys needed to operate the API.
  • Start Testing!!! Please Check out the API Documentation at https://batman-api.eastus2.qa.notjet.net/swagger/ui/index#/

Targets

Rewards:

Specific things we like giving lots of money for:

Type Payout
Significant XSS $1,000 - $5,000
Authentication Bypass Up to $15,000
Vert/Horizontal Privilege Escalation $3,000 - $10,000
Significant Data Exposure Up to $10,000
Shell/RCE $5,000 - $15,000 and a discussion about the potential for a job at jet.

General Payout:

Severity Payout
P1 $8,000 - $15,000
P2 $3,000 - $8,000
P3 $500 - $3,000
P4 $100 - $500

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the rating/prioritization of findings.

In Scope Items:

Site/Address What it is
Notjet.net Copy of Jet.com for Testing. (See Instructions Section)
merchant.qa.notjet.net Copy of Jet Partner Portal for Testing (See Instructions Section)
http://phased-batman-webapi-web.nomad.eastus2.qa.notjet.net/ Jet.com QA API (See Instructions Section)
*.jet.com Any subdomain of jet.com EXLUDING THOSE THAT ARE OUT OF SCOPE/3rd Party Services.
*.notjet.com Any Subdomain of Notjet.net EXCLUDING *.qa.notjet.net (See out of scope).
Android Application https://play.google.com/store/apps/details?id=com.jet.jet.app&hl=en
IOS Application https://itunes.apple.com/us/app/jet-smartest-way-to-shop-save/id950022424?mt=8
cs.jet.com Customer Service Portal
blog.jet.com Jet Blog
images.jet.com Static Image Hoster
jenkins.jet.com Prod Jenkins
purple.jet.com Jet Brand Style Guide
tech.jet.com Jet Tech Blog
thor.jet.com Jet Thor Application
Additional Subdomains Found at Bottom of this Page!

Additional In-Scope Items:

All below Subdomains are in Scope
thor.qa.notjet.net
wolverine-api.qa.notjet.net
thor-api.qa.notjet.net
spiderman.qa.notjet.net
shield-api.eastus2.qa.notjet.net
shield.qa.notjet.net
scarletwitch-api.eastus2.qa.notjet.net
quicksilver-api.qa.notjet.net
quicksilver.qa.notjet.net
nova-web.qa.notjet.net
nova-toolbox.qa.notjet.net
nova-api.eastus2.qa.notjet.net
mirage-pe.qa.notjet.net
mirage-api.qa.notjet.net
mirage.qa.notjet.net
merchant.qa.notjet.net
kickass-api.qa.notjet.net
kickass.qa.notjet.net
ironman-api.notjet.net
incredibles-api.qa.notjet.net
incredibles2.eastus2.qa.notjet.net
illuminati-api.qa.notjet.net
batman-api-mobile.qa.notjet.net
batman-api-mobile.qa.notjet.net

Out of Scope Items:

Site/Addres Why
Jet.com Notjet.net is the same exact app just made for testing!
Partner.jet.com Merchant.qa.notjet.net is the same exact app just made for testing!
Developer.jet.com 3rd Party Service
Email.jet.com 3rd Party Service
Email.notjet.net 3rd Party Service
Go.jet.com 3rd Party Service
Numbers.jet.com 3rd Party Service
Numbers.notjet.net 3rd Party Service
Clicks.jet.com 3rd Party Service
Horizon.jet.com 3rd Party Service

Additional Out of Scope Items:

  • Physical security of Jet buildings. Please do not attempt to sneak into our premises either secretly or by using social engineering.
  • Phishing/Social Engineering Attacks against Jet Employees.
  • Any subsidiaries, parents, affiliates are not in scope unless explicitly mentioned in the in scope section.
  • Outdated software versions are subject to a 72-hour blackout period to grant time for internal patching and testing (for instance, issues resulting from a 0day, etc). Rewards will not be given for outdated software versions reported during this period.
  • Any global scope security defects in the Microsoft Azure platform.
  • Clickjacking
  • Rate Limiting Issues

Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.