Vulnerability Disclosure

Introduction

Jubile takes security very seriously and investigates all reported vulnerabilities. This page describes our practice for addressing potential vulnerabilities in any aspect of our digital products and services (“Product”).

Reporting Suspected Vulnerabilities

• If you would like to report a vulnerability or have a security concern regarding Jubile Product, please contact us at data-privacy@jubile.tech.
• Independent Penetration Testing: Jubile customers are welcome to carry out security assessments or penetration tests against their Jubile infrastructure without prior approval.
• Collaborative Penetration Testing: Jubile is committed to supporting Pen Testing endeavors and working with its customers; reach out to your Jubile account manager to inquire further.
• Jubile Abuse: If you suspect that Jubile Product is being used for suspicious activity, you can report it to data-privacy@jubile.tech.
• Jubile Compliance Information: Access to Jubile compliance reports is available from time to time via our website and security bulletins. If you have additional Jubile Compliance-related questions, please contact us at data-privacy@jubile.tech.‍
  

So that we may more effectively respond to your report, please provide any supporting material (proof-of-concept code, tool output, etc.) that would be useful in helping us understand the nature and severity of the vulnerability.

‍

The information you share with Jubile as part of this process is kept confidential within Jubile. Jubile will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, Jubile will only share this information as permitted by you.

‍

Jubile will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.

SLA for Evaluation By Jubile

Jubile is committed to being responsive and keeping you informed of our progress as we investigate and/or mitigate your reported security concern. You will receive a non-automated response to your initial contact within 48 hours, confirming receipt of your reported vulnerability. You will receive progress updates from Jubile at least every ten US working days.

Public Notification

If applicable, Jubile will coordinate public notification of any validated vulnerability with you. Where possible, we prefer that our respective public disclosures be posted simultaneously.

‍

In order to protect our customers, Jubile requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability, and informed customers if needed. Also, we respectfully ask that you do not post or share any data belonging to our customers. Addressing a valid reported vulnerability will take time, and the timeline will depend upon the severity of the vulnerability and the affected systems.

‍

Jubile makes public notifications in the form of security bulletins, which are posted on the security section of our website. Individuals, companies, and security teams typically post their advisories on their own websites and in other forums and when relevant, we will include links to those third-party resources in Jubile security bulletins.

Safe Harbor

Jubile believes that security research performed in good faith should be provided safe harbor. We have adopted Disclose.io’s Core Terms, subject to the conditions below, and we look forward to working with security researchers who share our passion for protecting Jubile customers.

Scope

The following activities are out of scope for the Jubile Vulnerability Reporting Program. Conducting any of the activities below will result in disqualification from the program permanently.

1. Targeting assets of Jubile customers or non-Jubile sites hosted on our infrastructure.
2. Any vulnerability obtained through the compromise of Jubile customer or employee accounts.
3. Any Denial of Service (DoS) attack against Jubile products or Jubile customers.
4. Physical attacks against Jubile employees, offices, and data centers.
5. Social engineering of Jubile employees, contractors, vendors, or service providers.
6. Knowingly posting, transmitting, uploading, linking to, or sending malware.
7. Pursuing vulnerabilities that send unsolicited bulk messages (spam).
   

Disclosure Policy

Once the report has been submitted, Jubile will work to validate the reported vulnerability. If additional information is required to validate or reproduce the issue, Jubile will work with you to obtain it. When the initial investigation is complete, results will be delivered to you along with a plan for resolution and discussion of public disclosure.

‍

A few things to note about the Jubile process:

‍

1. Third-Party Products: Many vendors offer products within the Jubile cloud. If the vulnerability is found to affect a third-party product, Jubile will notify the owner of the affected technology. Jubile will continue to coordinate between you and the third party. Your identity will not be disclosed to a third party without your permission.
2. Confirmation of Non-Vulnerabilities: If the issue cannot be validated, or is not found to originate in a Jubile product, this will be shared with you.
3. Vulnerability Classification: Jubile uses version 3.1 of the Common Vulnerability Scoring System (CVSS) to evaluate potential vulnerabilities. The resulting score helps quantify the severity of the issue and to prioritize our response. For more information on CVSS, please reference the NVD site.

If you desire to print this document, please use the keyboard shortcut Ctrl + P (for Windows) or Command + P (for macOS) to start the print process; all modern browsers support this operation.