Jumbo Privacy: Brief Update
We have made some slight changes to the brief. You can see the changes here as well as on the program brief directly.
- Jumbo Privacy is primarily interested in receiving vulnerabilities that demonstrate real world impact.
- For instance, if you find an API in an application bundle or its source code, what can you do with it? The mere presence of API keys in the application bundle (or source code) is currently not considered a vulnerability since this application is considered "public" and more specifically a "native application" in the oauth spec https://tools.ietf.org/html/rfc6749#section-2.1. We will, however, accept a vulnerability which makes use of these API keys, or a more fully-developed submission which exemplifies how we are not following the oauth spec correctly leading to a vulnerability.
If you have any questions, please reach out to firstname.lastname@example.org.