Open Bug Bounty selected among the
Top 5 Bug Bounty programs to watch
in 2021 by The Hacker News

For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,119,604 coordinated disclosures
716,916 fixed vulnerabilities
1,470 bug bounty programs, 2,937 websites
25,871 researchers, 1,382 honor badges

Jumpseller Bug Bounty Program

Jumpseller runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Jumpseller

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Jumpseller and researchers.

Bug bounty program allow private and public submissions.

Bug Bounty Scope

The following websites are within the scope of the program:

jumpseller.com

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

We are an e-commerce platform that takes care of all the infrastructure so that businesses can focus on selling their products. They do not need any additional software to create an online store.

No technology is perfect, and Jumpseller believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

We'll provide rewards to reporters who submit original, in-scope vulnerabilities.

This table outlines the lower bounds for these rewards depending on the level assigned. Each report is assessed based on criticality, impact and risk to our customers and our company. Our minimum reward is $50.

We may choose to grant bonuses or larger rewards to critical vulnerabilities, more creative exploits, and more insightful reports.

Testing Requirements:

All reports should include a detailed step-by-step explanation of how to replicate the issue and an attack scenario to demonstrate the risk.

Practice responsible disclosure. That's a responsibility to users, not us. We strive to live up to the other end of this by resolving bugs in a timely manner.

Possible Awards:

Bounties depend on the severity of the vulnerability:

Low - 50 USD
Medium - 150 USD
High - 500USD
Critical - 1500 USD

Scale according to impact and ingenuity, from an unlikely low-sensitivity XSS to a deep, novel RCE, credentials stuffing, etc

One reward per bug; first discovery claims it; ties break toward the best report.

Known vulnerabilities that we won't consider:

- Admin Panel:
* We are aware that the CSRF token is not enabled in some of our controllers.
* We don't consider XSS attacks originated from the Admin Panel of the store. However. Since the administrator can fully change the HTML of a store. We do consider XSS attacks from a store-front to the Admin Panel.
* Emails are not validated, for business purposes, leading to a possible denial of service.


- Jumpseller.com (Landing Page):
* Click-jacking (UI redress attack), since our CDN does not support custom headers.

- All Properties:
* Social engineering (e.g. phishing, vishing, smishing), Denial of service, spamming, and any physical attempts against Jumpseller property is prohibited.

Special Notes:

Security researchers can use the landing page of jumpseller.com and create a trial stores.

Properties:
- Admin Panel: store_code.jumpseller.com/admin
- Store-front: store_code.jumpseller.com
- API: https://api.jumpseller.com/v1/path.json?login=XXXXXX&authtoken=XXXXXX
- OAuth2 Server: https://jumpseller.com/support/oauth-2

You can get your login and auth token by creating a store. It's in your account options.

Important: You're not allowed to use our real merchants stores for this program. If can create trial stores.

If you have any questions about Jumpseller service refer to our Documentation: https://jumpseller.com/support and/or contact our support.

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched

 09.12.2021 navitime.co.jp
 09.12.2021 uni-osnabrueck.de
 09.12.2021 infotracer.com
 09.12.2021 umk.pl
 09.12.2021 kit.edu
 08.12.2021 calculatorsoup.com
 08.12.2021 nga.gov.au
 08.12.2021 reverbnation.com

  Latest Blog Posts

11.11.2021 by mistry4592
The Most used Chrome Extensions are Used For Penetration Testing.
08.10.2021 by NNeuchi
How I Found My First Bug Reflected Xss On PIA.GOV.PH(Philippine Information Agency)
26.08.2021 by PyaePhyoThu98
eG Manager v7.1.2: Improper Access Control lead to Remote Code Execution (CVE-2020-8591)
14.07.2021 by Open Bug Bounty
Interview With Open Bug Bounty
25.05.2021 by 0xrocky
Google XSS Game

  Recent Recommendations

@AsictSoc     9 December, 2021
    Twitter AsictSoc:
Dear Cyber_World,

the SOC of Politecnico di Milano would like to thank you for disclosing us the vulnerability on our infrastructure.
@EplayerTv     1 December, 2021
    Twitter EplayerTv:
Very good researcher, also provides clear instructions how to easily fix issue.
@martin_ouwehand     30 November, 2021
    Twitter martin_ouwehand:
We thank KhanJanny for his responsible disclosure of an XSS in one of our Web sites
@Securityteam11     29 November, 2021
    Twitter Securityteam11:
Indrakant notified us responsibly in relation to an issue with one of our websites. Upon seeking further information. his response was prompt and thorough. Thank you Indrakant great effort.
@chrisbeach     29 November, 2021
    Twitter chrisbeach:
Helped me fix a bug on my site - thanks joe-grizzly!