Responsible Disclosure

Vulnerability Disclosure Program

The information on this page is intended for security researchers interested in reporting security vulnerabilities in Jscrambler’s property to the Jscrambler security team.

The security team at Jscrambler strongly believes that collaboration with the security community is key to maintaining secure environments for all of our clients and users. As such, if you believe you've discovered a security vulnerability on a Jscrambler property or application, we strongly encourage you to inform us as quickly as possible. We ask that such vulnerability reports be kept private and researchers do not make those public while we are working to resolve the reported issues.
In return, we will work to review reports and respond in a timely manner (under 3 business days). Jscrambler will not seek judicial or law enforcement remedies against you for identifying security issues, so long as you abide by the policies set forth in here:

  • do not compromise the safety or privacy of our users; 

  • do not publish information about the vulnerabilities until we fix it; 

  • do not download or access sensitive data beyond the absolutely necessary to demonstrate the vulnerability; and

  • destroy any sensitive data you might have gathered from Jscrambler as part of your research once issues are resolved.

Vulnerability Program Scope & Rules

In Scope

We are primarily interested in hearing about the following vulnerability categories:

  • Sensitive Data Exposure - Cross-Site Scripting (XSS) Stored, SQL Injection (SQLi), etc.

  • Sensitive Data Leakage

  • Authentication or Session Management related issues

  • Remote Code Execution

  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

Out of Scope

The following vulnerability categories are considered out of the scope of our responsible disclosure program and should be avoided by researchers:

  • Denial of Service (DoS) - Either through network traffic, resource exhaustion, or others.

  • User enumeration

  • Issues only present in old browsers/old plugins/end-of-life software browsers

  • Phishing or social engineering of Jscrambler employees, users or clients

  • Systems or issues that relate to Third-Party technology used by Jscrambler

  • Disclosure of known public files and other information disclosures that are not a material risk (e.g.: robots.txt)

  • Any attack or vulnerability that hinges on a user’s computer being first compromised

Vulnerability Rewards

Depending on the severity and impact of the vulnerability, we may offer rewards as a token of our appreciation. However, please note that reward eligibility is at our discretion.

Report a Security Vulnerability

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.

Please do the following:

  • E-mail your findings to [email protected],

  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data,

  • This policy covers all of our online systems, websites, and associated services. Please refrain from accessing, modifying, or disclosing data beyond what is necessary to demonstrate the security vulnerability;

  • We request that you refrain from publicly disclosing the vulnerability until we have had sufficient time to investigate and address it. Once the vulnerability is resolved, we will credit you for your responsible disclosure if you wish;

  • We encourage you to provide us with detailed information about the vulnerability to help us understand and reproduce it. Please provide any supporting documentation, proof-of-concept code, or screenshots that can help us understand the vulnerability better.

Failure to comply with the terms and guidelines outlined in this policy may result in civil and/or criminal liability, as permitted by applicable laws and regulations.

Thank you for your help!

Last modified on 2023-10-03.