Org Logo

Jumio Corporation

Responsible Disclosure

Jumio Vulnerability Disclosure Program

At Jumio, we prioritize the security of our users and platform. We welcome contributions from the security community and encourage responsible disclosure of potential vulnerabilities. The Jumio Vulnerability Disclosure  Program provides guidelines that will help Jumio address vulnerabilities and maintain a secure environment. Before performing any security research, please be sure to read and comply with the following guidelines.

 Scope 

The following are within the scope of this program: 

  • Web and mobile applications of jumio.com

  • Public-facing Jumio APIs and services

  • Core infrastructure related to the Jumio platform

The following are outside the scope of this program: 

  • Third-party providers, including their services, infrastructure, or software

  • Social engineering attacks (e.g., phishing)

  • Physical security attacks

  • DDOS attacks

  • Any other attacks against any property or individuals associated with Jumio, or its users, customers, suppliers, employees, or affiliates

How to Report a Vulnerability 

To report a vulnerability: 

  1. Submit your report via https://vdp.jumio.com

  2. Include the following details in your submission:

    • A description of the vulnerability and its impact

    • Steps to reproduce the issue

    • Supporting evidence (e.g., PoC or screenshots)

    • Impact assessment (e.g., how critical the vulnerability is) 

    • Any references, tools, or methodologies used in your testing

 

What Happens After You Report a Vulnerability?

  • Acknowledgment: After receiving a valid submission, we may send you a confirmation email.

  • Assessment: Our security team will review your findings, evaluate the severity of the issue, and determine an appropriate remediation path.

 

 

Program Rules

Generally, when conducting security research, avoid any actions that could cause harm to Jumio, its customers, or its services.

  • Do not access, modify, exploit, or delete any data

  • Do not disrupt any services or systems

  • Do not exploit any vulnerability beyond what is necessary to verify it

  • Do not test systems or services that are not explicitly listed above as within the scope

  • Do not engage in any activities that violate any applicable federal, state, or local laws or regulations

  • Do not publicly disclose any vulnerability

 

General


Jumio reserves the right to change these guidelines at any time without notice and does not guarantee that it will respond to your submission. Your participation in the Jumio’ Vulnerability Disclosure Program is at your sole discretion. When sharing any information with Jumio, you agree that Jumio is allowed to use such information in any manner without any restriction; provided that, the personal information you provide will be governed by Jumio’s Privacy Notices

Jumio does not provide payment or other consideration for disclosures; however, we appreciate the security researchers who take the time and effort to investigate and report vulnerabilities to us according to these guidelines. By providing a submission, you acknowledge that you have no expectation of payment and expressly waive any future pay claims against Jumio related to your submission.

 

Contact Information

For questions related to the program, including whether a particular research activity is permitted, please contact us at jumiosecurity@jumio.com.

 

 

Powered by

Sprinto Logo