We are very grateful for any indications of Vulnerabilities!
We offer several WordPress plugins and websites, on which thousands of sites rely.
The security of data and processes is of the highest priority. However, despite our best efforts, these digital services may still contain vulnerabilities that are not yet known to us.
Please note: Searching for vulnerabilities may possibly constitute a criminal offense. To avoid legal difficulties, we kindly ask you to adhere to the following rules.
What is the JCI Vulnerability Disclosure Program?
Vulnerability Disclosure Programs (VDPs) are important tools for improving the security of digital services. They encourage a community of ethical hackers and security researchers to help identify potential vulnerabilities before they can be exploited by malicious actors.
The JCI Vulnerability Disclosure Program provides a way for individuals to responsibly report errors, security vulnerabilities, or other bugs found in our digital services.
The previous JCI Bug Bounty Program ended on June 1, 2026. While we no longer offer financial rewards for reported vulnerabilities, we continue to welcome and review responsible vulnerability reports.
Which digital services are included in the JCI Vulnerability Disclosure Program?
The following domains (including any existing subdomain) are relevant for the JCI Vulnerability Disclosure Program:
- json-content-importer.com
Also the sourcecode of the following WordPress Plugins:
- JSON Content Importer (free plugin)
- Free Auto Refresh API AJAX (free plugin)
- Get URL Cron (free plugin)
- WP-Memory-Usage (free plugin)
- JSON Content Importer PRO (paid plugin)
- Build n:n Toolset-CPT-Relationships (paid plugin)
Rules for the JCI Vulnerability Disclosure Program!
Participation in the JCI Vulnerability Disclosure Program requires strict adherence to the following general rule: No harm must be done to us due to activities within the framework of the JCI Vulnerability Disclosure Program. This means:
- While searching for vulnerabilities, the availability, confidentiality, and integrity of our data and processes must not be compromised. Therefore, please do not execute any phishing mailing, DDoS, or brute force tests, etc. Do not change any data.
- No backdoors or similar programs, which allow permament access, must be installed.
- Identified vulnerabilities will be published only after they have been rectified by us.
This is how you can send us a vulnerability report
When making contact, please provide us with the following information:
- Exact domain on which you found the vulnerability.
- As many details as possible, so we can reproduce the vulnerability, facilitate our analysis and thus speed up the payout of the reward. For example, the IP number from which the tests were carried out, proof-of-concept sketches etc.
Please contact us via a freshDesk-Ticket
What do we do with vulnerability reports?
The submitted vulnerability report is evaluated by us and classified into a category of criticality, which is determined by its potential for danger. Guidance is provided by the „Common Vulnerability Scoring System Calculator“, which can be used to categorize vulnerability reports.
In this regard, we are particularly interested in vulnerabilities that allow unauthorized individuals to access, modify, or delete confidential data.
Examples of relevant vulnerabilities can be found at OWASP, including the following:
The following submissions are not relevant for the Vulnerability Disclosure Program:
- General accessibility of digital services
- Phishing emails and similar threats, especially those that abuse our email addresses
- Vulnerabilities without proof of exploitability
- Vulnerabilities that only affect browsers which are outdated or only have limited security features
- Reports generated by scanners that do not provide specific and fully traceable references to a vulnerability
- Unused best practices in headers, SSL/TLS, DNS
