Jumbo Privacy invites you to test their iOS and Android App. Good luck and happy hunting!
This section is meant to give an overview of the current architecture.
It is our intention to keep this up-to-date, but due to the nature of development, changes may have been introduced that are not reflected here.
The Jumbo app allows a user to connect a choice of services. The app then scans these services for settings which we deem to be privacy issues. The user can select which settings they want to change, which the app does on behalf of the user.
Further, we offer the user an option to enable "auto-delete" functionality for certain data items. We make use of various background APIs, which the app uses to run periodic audits, as well as delete any data items as a result of the user having enabled "auto-delete."
We accomplish this by presenting a WKWebView to the user, where the user is first prompted to log into the chosen service.
For operations regarding that service, we use such a WKWebView instance to initiate operations on the user's behalf, utilizing the authenticated session (via the service's cookie.)
The operations are controlled (scheduled) from the iOS native app, and their return value (in the form of a sent message) is interpreted by the iOS app as well.
Some state regarding this (e.g. whether the user has set up a service) is persisted via the native app.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
|Technical severity||Reward range|
|p1 Critical||$4,100 - $4,500|
|p2 Severe||$1,500 - $1,750|
|p3 Moderate||$600 - $850|
|p4 Low||$200 - $250|
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Jumbo Privacy not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to firstname.lastname@example.org before submitting.
Application is available directly from the Apple Store and Play Store.
- Prioritization of critical, P1, vulnerabilities.
Jumbo Privacy will give special consideration to vulnerabilities which lead to extraction of user data on a wide-scale. Submissions in this category if they meet the below specifications could be eligible for a $20,000 bounty. The guidelines for consideration for this reward are as follows:
- It should be a remote vulnerability (e.g. no physical access to the devices)
- It should lead to the extraction of user-data for a group of Jumbo users, not a single target. We will be giving consideration to vulnerabilities targeted at a single user, as long as it's a repeatable attack.
- The reward will reflect the type of data that can be extracted through this vulnerability (i.e. personal data is more valuable than opaque identifiers, credentials are high-value type of data)
- Jumbo Privacy is primarily interested in receiving vulnerabilities that demonstrate real world impact.
- For instance, if you find an API in an application bundle or its source code, what can you do with it? The mere presence of API keys in the application bundle (or source code) is currently not considered a vulnerability since this application is considered "public" and more specifically a "native application" in the oauth spec https://tools.ietf.org/html/rfc6749#section-2.1. We will, however, accept a vulnerability which makes use of these API keys, or a more fully-developed submission which exemplifies how we are not following the oauth spec correctly leading to a vulnerability.
- Jumbo will not consider escalating to a paid-tier via a method which requires advanced interaction with the app (decompiling, repackaging, etc, especially if physical access to the device is required) eligible for rewards.
- Jumbo will not consider the mere finding of API endpoints which can be consumed without payment authorization (even if the feature which makes use of this API endpoint in the app requires payment,) eligible for rewards.
- Jumbo will consider vulnerabilities that impact payment authorization remotely. Especially if it can be deployed on behalf of more than one user (e.g. if you find a vulnerability that would give everyone access to paid features without paying with minimal user interaction.)
Explicitly out of Scope
Vulnerabilities exclusively affecting the services with which we interact are out of scope and should be reported to the affected service provider.
A combination of a vulnerability of one of these services AND an implementation detail (or bug) within the Jumbo app lead to a vulnerability, we consider this to be in scope. However, our reward will be a function of whether the eventual vulnerability is primarily a result of the implementation details of Jumbo, or the service in question.
Jumbo asks candidates who apply for employment to submit technical work. Some candidates choose to publish this work (e.g. on their personal github.) Work unrelated to targets in this program such as this is explicitly out-of-scope.
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
- You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via email@example.com before going any further.