JFrog Trust

Report A Vulnerability

Please do not share bulk reports from automated scanners. Those findings should be reviewed and validated by a security practitioner before submitting them to JFrog.

If you believe you have found a security issue, please report it to JFrog using one of these methods:

Customers:

Please submit your report via our support portal.

Security Researchers:

Please submit a report through our Vulnerability Disclosure program or our Bug Bounty program hosted in HackerOne.

(If you are not yet a member, please send an invitation request to security@jfrog.com. Make sure you have a user which is accepting invites)

You can also email us your security report at security@jfrog.com. (If you wish to encrypt your email message with our PGP key, you can download it here).

Vulnerability Disclosure Philosophy

All submitted reports are confidential and we’ll address them by their severity. Please do not disclose the issue publicly until we assess its impact and mitigate the risk. Bounty payments will only be awarded to researchers who submit vulnerabilities through our Bug Bounty program.

 

Vulnerability reports should include the following information:

  • Summary of the vulnerability
  • Vulnerability scope: Product and its version or cloud service
  • Vulnerability issue type, such as remote code execution, XSS, or SQL injection
  • Steps to reproduce
  • Any proof-of-concept
  • Supporting material / references
  • The potential impact of the vulnerability

Release Fast Or Die

Start Free Buy Now