One of the Company's goals is to provide a secure and convenient service for our customers and partners.
Our bug bounty program aims to improve the security of data and sensitive information in our services by promptly identifying and remediating potential vulnerabilities. We understand that there is no such thing as a perfect infrastructure. There are always risks and potential threats, and we want to be the first to know about them.
We invite professionals who are ready to help us in researching the security of our services. Join our bug bounty program and help our services become even safer.

Before you submit your report, make sure it contains information on a vulnerability from the declared scope of the program. If a vulnerability is out of scope but you believe that the problem you found is worth investigating, submit your report on the Standoff365 platform with a description of the applicability.

We are mostly interested in finding critical server-side vulnerabilities as part of this program, but we are also willing to consider reports on any vulnerabilities that, if exploited, could negatively affect our Company and its operations.
Please review the list of vulnerabilities that are not rewarded within this program.

• Remote code execution (RCE).
• Injections (such as SQL and XML injections).
• Local/remote file inclusion (LFI/RFI).
• Server-side request forgery (SSRF).
• Vulnerabilities and flaws of authentication and authorization mechanisms.
• Access control vulnerabilities.
• Information disclosure (IDOR).
• Cross-site scripting (XSS) is only accepted if the vulnerability is proven to be exploitable..

• Reports generated by vulnerability scanners and other automated tools.
• Hypothetical attacks without proof of their feasibility.
• Disclosure of non-confidential information (such as product versions).
• Reports based on a product/protocol version without demonstration of an actual vulnerability.
• Lack of security mechanisms and/or non-compliance with best practices (for example, missing CSRF tokens or framing/clickjacking protection) without demonstration of the actual security impact on users or systems.
• Reports on published and unpublished SPF and DMARC policies.
• Cross-site request forgery resulting in logout (logout CSRF).
• Vulnerabilities in partner products or services.
• Open redirects are accepted only with a definite security impact, such as the possibility of an authorization token theft.
• Same-site scripting, reflected downloads, and similar attacks with questionable impact.
• Reports of Content Security Policy (CSP) issues for domains without CSP and domain policies with 'unsafe-eval' and/or 'unsafe-inline'.
• IDN homograph attacks.
• XSPA (IP address/port scanning of external networks).
• Excel and CSV formula injections.
• Scripting in PDF documents.
• Self-XSS.
• Attacks that rely on full access to a local account or browser profile.
• Possibility of sending a large number of messages.
• Possibility of sending spam or malware files.
• Information disclosure via external links that are not under the Company's control.
• Possible DDoS attacks.
• Information about IP addresses, DNS records, and open ports.
• Disclosure of private IP addresses or domains that resolve to private IP addresses.
• Clickjacking.
• Any 0-day or 1-day vulnerabilities reported less than 5 business days ago.

• Read the program rules before you begin your research: you must follow the terms described here.
• Test only the systems that are included in the program scope. Testing any other of the Company's systems is prohibited.
• Do not use methods that violate the legislation of the Russian Federation.
• Do not perform actions that are deliberately destructive.
• Respect our team's decisions. If you disagree with a decision made by our specialists, make sure to be polite and provide evidence of why you think the decision is wrong.

If you use forbidden methods or tools for testing, we reserve the right to deny you a reward or disqualify you from the program.

• Do not use social engineering methods, including phishing, vishing, smishing, and so on.
• Do not perform physical attacks on the company and its infrastructure.
• When obtaining access to confidential information, do not copy, store, or transmit it.
• Do not conduct post-exploitation activities after testing.
• Do not perform attacks aimed at disrupting systems (such as DDOS).

When testing for security issues, please adhere to the following rules:

• Do not compromise the confidentiality, integrity, and availability of data in our services.
• Do not perform actions that may harm the Company, its infrastructure, clients, or partners.
• Use basic commands for the PoC or the minimum of evidence necessary to show the existence of the vulnerability.

If your vulnerability research requires you to perform an action that clearly violates the requirements of this program, contact us via the Standoff365 platform to obtain explicit approval. Any actions taken without our consent will be considered a violation of the program rules.

Only the following actions are allowed on the server:
• Execute the ifconfig (ipconfig), hostname, and whoami commands.
• Read the contents of the /etc/passwd and /proc/sys/kernel/hostname files (drive:/boot.ini, drive:/install.ini).
• Create an empty file in the directory of the current user.

If other actions are required, contact us via the Standoff365 platform to obtain explicit approval.

Only the following actions are allowed on the server:
• Get information about the current database (SELECT database()), its version (SELECT @@version), the current user (SELECT user() or SELECT system_user()), or hostname (SELECT @@hostname).
• Get the database schema (SELECT table_schema), list of tables (SELECT table_name), and table column names (SELECT column_name).
• Perform mathematical, conversion, or logical queries (including using SLEEP) without retrieving data (excluding those mentioned above).

If other actions are required, contact us via the Standoff365 platform to obtain explicit approval.

When uploading files, you must not do the following:
• Upload files that could cause a denial of service (for instance, large files or files containing scripts that are destructive for the system).
• Upload malware or spyware.
• Upload files containing information that violates the legislation of the Russian Federation.

If an arbitrary file read vulnerability is discovered on the server, you are allowed to read only the following files:
• /etc/passwd
• /proc/sys/kernel/hostname
• drive:/boot.ini
• drive:/install.ini
• Files uploaded by the researcher

If you obtain the ability to modify arbitrary files, do not take any actions that may corrupt or delete system data.
If other actions are required, contact us via the Standoff365 platform to obtain explicit approval.

• Submit your reports only using the form on the platform.
• Do not disclose information about the discovered vulnerability to third parties without the permission of the Company's security team.
• If you violate these rules, we will have to exclude you from this and other programs of the Company.

When receiving a report, we conduct an internal investigation to determine the severity level of the vulnerability based on multiple factors:
• Privileges required to perform the attack.
• How difficult it is to detect and exploit the vulnerability.
• How much interaction with users is required for the attack.
• Impact of the vulnerability on data security.
• Risks posed by the vulnerability to the Company's business and reputation.
• How many users would be affected by the vulnerability.

These and other factors are taken into consideration when we make a decision and determine priorities in our vulnerability assessment. One of the tools we use for analysis is the CVSS calculator version 3.1.

As part of the program, we accept reports in Russian or English that include the following information about a vulnerability:
• Name.
• Category.
• CVE (if available), OWASP CWE ID (if available).
• Severity analysis based on CVSS 3.1.
• A comprehensive and reproducible description of the vulnerability exploitation steps, including the code fragments or examples of requests required to exploit the vulnerability.
• Technical assessment of the potential damage and risks to the vulnerable system.
• Recommendations on how to fix the vulnerability.
• Proof of concept: photos, screenshots, or video recordings of the exploitation process (use only the file formats supported by the platform; links to third-party resources are not allowed).

Create a separate report for each vulnerability you find.
However, if multiple vulnerabilities must be exploited to carry out an attack, you can describe them in a single report. In this report, indicate the number and classes of all detected vulnerabilities.

Within this program, we consider only the first report submitted on a particular vulnerability. Duplicated reports related to the same vulnerability will be marked as Duplicate and are not eligible for a reward.
Reports that describe similar attack vectors will also be marked as Duplicate if our security team decides that information from the original report is sufficient to fix all discovered exploitation vectors.
The first submission may be a report from the Company's own security team or a report received as a result of other activities unrelated to the bug bounty program. In this case, our security team will try to provide evidence demonstrating that the researcher's findings are secondary. The final decision on whether to provide details of previously identified vulnerabilities remains with the security team.

We only reward the first report on a specific vulnerability that we receive, provided that it contains all the data necessary to reproduce the vulnerability and a confirmed demonstration of exploitation.
Rewards are paid in accordance with the table below:

Vulnerabilities discovered under contractual obligations not related to the bug bounty program are not eligible for a reward.
Vulnerabilities discovered by current or terminated employees of the Company and contractors who have ceased cooperation with the Company less than one year ago are accepted without a reward.
Please note that under the program rules, the decision on the reward amount remains with the Company and is final.

Our website: https://jet.su/

Our Telegram channel: https://t.me/jetinfosystems.