Report A Vulnerability
Please do not share bulk reports from automated scanners. Those findings should be reviewed and validated by a security practitioner before submitting them to JFrog.
If you believe you have found a security issue, please report it to JFrog using one of these methods:
Customers:
Please submit your report via oursupport portal.
Security Researchers:
Please submit your security report through ourVulnerability Disclosure Programmanaged by HackerOne.
Bug Bounty Program
We also have a private Bug Bounty program managed by HackerOne. If you believe you have found a vulnerability in the JFrog Platform (SaaS and on-prem), you can request an invitation to join the program by sending an email tosecurity@m.si-fil.comwith a summary of the vulnerability.
Vulnerability Disclosure Philosophy
All submitted reports are confidential and we’ll address them by their severity. Pleasedo not disclose the issue publiclyuntil we assess its impact and mitigate the risk.
Bounty payments will only be awarded to researchers who submit vulnerabilities through our Bug Bounty program.
Vulnerability reports should include the following information:
- Summary of the vulnerability
- Vulnerability scope: Product and its version or cloud service
- Vulnerability issue type, such as remote code execution, XSS, or SQL injection
- Steps to reproduce
- Any proof-of-concept
- Supporting material / references
- The potential impact of the vulnerability
