We are very grateful for any indications of Vulnerabilities!
We offer several WordPress plugins and websites, on which thousands of sites rely.
The security of data and processes is of the highest priority. However, despite our best efforts, these digital services may still contain vulnerabilities that are not yet known to us.
Please note: Searching for vulnerabilities may possibly constitute a criminal offense. To avoid legal difficulties, we kindly ask you to adhere to the following rules.
What is the JCI BugBounty Program?
“BugBounty programs” are important tools for improving the security of digital services, as they encourage a community of “ethical hackers” or security researchers to help uncover potential vulnerabilities before they can be exploited by malicious actors.
The “JCI BugBounty Program” is an initiative by us to reward individuals who uncover and report errors, security vulnerabilities or “bugs” in our digital services.
The term “Bug Bounty” means “bounty for bugs”. The reward, also known as “bounty”, varies based on the severity and type of the uncovered failure. Anyone who adheres to the rules stated below can participate in the JCI BugBounty Program.
Which digital services are included in the JCI Bug Bounty Program?
The following domains (including any existing subdomain) are relevant for the JCI Bug Bounty Program:
Also the sourcecode of the following WordPress Plugins:
- JSON Content Importer (free plugin)
- Free Auto Refresh API AJAX (free plugin)
- Get URL Cron (free plugin)
- WP-Memory-Usage (free plugin)
- JSON Content Importer PRO (paid plugin)
- Build n:n Toolset-CPT-Relationships (paid plugin)
Rules for the JCI BugBounty Program!
Participation in the JCI BugBounty Program requires strict adherence to the following general rule: No harm must be done to us due to activities within the framework of the JCI BugBounty Program. This means:
- While searching for vulnerabilities, the availability, confidentiality, and integrity of our data and processes must not be compromised. Therefore, please do not execute any phishing mailing, DDoS, or brute force tests, etc. Do not change any data.
- No backdoors or similar programs, which allow permament access, must be installed.
- Identified vulnerabilities will be published only after they have been rectified by us.
Furthermore, the following rules apply:
- Only the initial report of a vulnerability is eligible for a bug bounty payout.
- We determines the payout amount (see below). A payout can only be made if the participant in the JCI BugBounty Program provides an appropriate invoice that complies with the applicable sales taxation.
This is how you can send us a vulnerability report
When making contact, please provide us with the following information:
- Exact domain on which you found the vulnerability.
- As many details as possible, so we can reproduce the vulnerability, facilitate our analysis and thus speed up the payout of the reward. For example, the IP number from which the tests were carried out, proof-of-concept sketches etc.
What do we do with vulnerability reports?
The submitted vulnerability report is evaluated by us and classified into a category of criticality, which is determined by its potential for danger. Guidance is provided by the „Common Vulnerability Scoring System Calculator“, which can be used to categorize vulnerability reports.
|CVSS-Score||0.1 – 3.9||4.0 – 6.9||7.0 – 8.9||9.0 – 10.0|
|BugBounty (Net amount before sales tax)||up to 25 €||25 – 125 €||125 – 250 €||over 250 €|
In this regard, we are particularly interested in vulnerabilities that allow unauthorized individuals to access, modify, or delete confidential data.
Examples of relevant vulnerabilities can be found at OWASP, including the following:
The following submissions are not relevant for the BugBounty program and are not eligible for a Bounty payout:
- General accessibility of digital services
- Phishing emails and similar threats, especially those that abuse our email addresses
- Vulnerabilities without proof of exploitability
- Vulnerabilities that only affect browsers which are outdated or only have limited security features
- Reports generated by scanners that do not provide specific and fully traceable references to a vulnerability
- Unused best practices in headers, SSL/TLS, DNS