Vulnerability Disclosure

How to Report

Please report security vulnerabilities by emailing us at:

Please include as much detail as possible in your report:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact of the vulnerability
• Any proof-of-concept code or screenshots
• Your contact information for follow-up

What to Expect

• Acknowledgment: We will acknowledge your report within 48 hours
• Assessment: We will investigate and validate the vulnerability within 7 days
• Resolution: We aim to resolve critical vulnerabilities within 30 days
• Recognition: With your permission, we will acknowledge your contribution

In Scope

The following types of vulnerabilities are in scope for this program:

• Cross-Site Scripting (XSS)
• SQL Injection
• Authentication and Authorization flaws
• Remote Code Execution
• Server-Side Request Forgery (SSRF)
• Insecure Direct Object References (IDOR)
• Sensitive Data Exposure

Out of Scope

The following are not eligible for this program:

• Denial of Service (DoS/DDoS) attacks
• Social engineering attacks (phishing)
• Physical security attacks
• Attacks requiring physical access to devices
• Vulnerabilities in third-party applications
• Missing security headers without demonstrable impact
• Rate limiting issues without security impact

Guidelines

• Do not publicly disclose vulnerabilities before we have resolved them
• Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
• Do not use automated scanning tools that generate excessive traffic
• Act in good faith and avoid privacy violations

Recognition

We appreciate the efforts of security researchers who help keep Jatura secure. With your permission, we will publicly acknowledge your contribution on our security page. While we do not currently offer a bug bounty program, we may provide recognition in other forms for significant findings.