Jumbo Privacy

Updated
  • $200 – $4,500 per vulnerability
  • Up to $20,000 maximum reward
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

8 vulnerabilities rewarded

Validation within 6 days
75% of submissions are accepted or rejected within 6 days

$2,200 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Jumbo Privacy

Jumbo Privacy invites you to test their iOS and Android App. Good luck and happy hunting!

Architecture

This section is meant to give an overview of the current architecture.

It is our intention to keep this up-to-date, but due to the nature of development, changes may have been introduced that are not reflected here.

General

The Jumbo app allows a user to connect a choice of services. The app then scans these services for settings which we deem to be privacy issues. The user can select which settings they want to change, which the app does on behalf of the user.

Further, we offer the user an option to enable "auto-delete" functionality for certain data items. We make use of various background APIs, which the app uses to run periodic audits, as well as delete any data items as a result of the user having enabled "auto-delete."

Technical Architecture

We accomplish this by presenting a WKWebView to the user, where the user is first prompted to log into the chosen service.

For operations regarding that service, we use such a WKWebView instance to initiate operations on the user's behalf, utilizing the authenticated session (via the service's cookie.)

Javascript

We make use of a javascript bundle, injected into the web view to run these operations.

This javascript bundle is hosted at a well-known address, validated with a public key, and upon passing this validation injected into the web view and executed.

The operations are controlled (scheduled) from the iOS native app, and their return value (in the form of a sent message) is interpreted by the iOS app as well.

Some state regarding this (e.g. whether the user has set up a service) is persisted via the native app.

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward range

Last updated

Technical severity Reward range
p1 Critical $4,100 - $4,500
p2 Severe $1,500 - $1,750
p3 Moderate $600 - $850
p4 Low $200 - $250
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type Tags
JumboPrivacy iOS Application iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
JumboPrivacy Android Application Android
  • Mobile Application Testing
  • Android

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Jumbo Privacy not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.


Access:

Application is available directly from the Apple Store and Play Store.


Focus Areas:

  • Prioritization of critical, P1, vulnerabilities.

Jumbo Privacy will give special consideration to vulnerabilities which lead to extraction of user data on a wide-scale. Submissions in this category if they meet the below specifications could be eligible for a $20,000 bounty. The guidelines for consideration for this reward are as follows:

  • It should be a remote vulnerability (e.g. no physical access to the devices)
  • It should lead to the extraction of user-data for a group of Jumbo users, not a single target. We will be giving consideration to vulnerabilities targeted at a single user, as long as it's a repeatable attack.
  • The reward will reflect the type of data that can be extracted through this vulnerability (i.e. personal data is more valuable than opaque identifiers, credentials are high-value type of data)

Scope

The app itself, the javascript bundle as it relates to the app and its operations, the update mechanism (of the javascript bundle) and the components that support it, are all in-scope.

  • Jumbo Privacy is primarily interested in receiving vulnerabilities that demonstrate real world impact.
    • For instance, if you find an API in an application bundle or its source code, what can you do with it? The mere presence of API keys in the application bundle (or source code) is currently not considered a vulnerability since this application is considered "public" and more specifically a "native application" in the oauth spec https://tools.ietf.org/html/rfc6749#section-2.1. We will, however, accept a vulnerability which makes use of these API keys, or a more fully-developed submission which exemplifies how we are not following the oauth spec correctly leading to a vulnerability.
  • Jumbo will not consider escalating to a paid-tier via a method which requires advanced interaction with the app (decompiling, repackaging, etc, especially if physical access to the device is required) eligible for rewards.
  • Jumbo will not consider the mere finding of API endpoints which can be consumed without payment authorization (even if the feature which makes use of this API endpoint in the app requires payment,) eligible for rewards.
  • Jumbo will consider vulnerabilities that impact payment authorization remotely. Especially if it can be deployed on behalf of more than one user (e.g. if you find a vulnerability that would give everyone access to paid features without paying with minimal user interaction.)

Explicitly out of Scope

Vulnerabilities exclusively affecting the services with which we interact are out of scope and should be reported to the affected service provider.

A combination of a vulnerability of one of these services AND an implementation detail (or bug) within the Jumbo app lead to a vulnerability, we consider this to be in scope. However, our reward will be a function of whether the eventual vulnerability is primarily a result of the implementation details of Jumbo, or the service in question.

Jumbo asks candidates who apply for employment to submit technical work. Some candidates choose to publish this work (e.g. on their personal github.) Work unrelated to targets in this program such as this is explicitly out-of-scope.


Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.