JPMorgan Chase Responsible Disclosure Program
Committed to working together
We want to hear from you if you have information related to potential security vulnerabilities of JPMorgan Chase products and services. We value your work and thank you in advance for your contribution.
Reporting a vulnerability
Please email your vulnerability to firstname.lastname@example.org. The report should include a detailed description of your discovery with clear, concise reproducible steps and/or a working proof-of-concept. If you do not explain the vulnerability in detail, there may be delays in our response.
By submitting your report to JPMorgan Chase, you agree not to disclose the vulnerability to a third party. You perpetually allow JPMorgan Chase and its subsidiaries the unconditional ability to use, modify, create derivative work from, distribute, disclose and store the information provided in your report or to have others do the same on behalf of JPMorgan Chase, and these rights cannot be revoked. You represent that the report is original to you and that you own all right, title and interest in the submission.
To recognize research partners, JPMorgan Chase may feature researchers who make significant contributions. You hereby grant JPMorgan Chase the right to display your name on the JPMorgan Chase Leaderboard and such other media as JPMorgan Chase may choose to publish.
JPMorgan Chase agrees not to pursue claims against researchers who disclose potential vulnerabilities to this program where the researcher:
- Does not cause harm to JPMorgan Chase, our customers, or others;
- Does not initiate a fraudulent financial transaction;
- Does not store, share, compromise or destroy JPMorgan Chase or customer data;
- Provides a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (the detailed summary will allow us to reproduce the vulnerability);
- Does not compromise the privacy or safety of our customers and the operation of our services;
- Does not violate any national, state, or local law or regulation;
- Does not publicly disclose vulnerability details without JPMorgan Chase’s written permission;
- Is not currently located in or otherwise ordinarily resident in Cuba, Iran, North Korea, Sudan, Syria or Crimea;
- Is not on the U.S. Department of the Treasury’s Specially Designated Nationals List;
- Is not an employee or an immediate family member of an employee of JPMorgan Chase or its subsidiaries; and
- Is at least 18 years old.
Out of Scope Vulnerabilities
Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program. Out- of-scope vulnerabilities include:
- Vulnerabilities dependent upon social engineering techniques (e.g. shoulder attack, stealing devices, phishing, fraud, stolen credentials)
- Host Header
- Denial of service (DOS)
- Self-XSS (User defined payload)
- Login/logout CSRF
- Content spoofing without embedded links/HTML
- Vulnerabilities which require a jailbroken mobile device
- Infrastructure vulnerabilities, including:
- Certificates/TLS/SSL related issues
- DNS issues (i.e. mx records, SPF records, etc.)
- Server configuration issues (i.e., open ports, TLS, etc.)
- Most vulnerabilities within our sandbox, lab, or staging environments.
- Any physical attempt against JPMorgan Chase property or data centers
- Content spoofing / text injection
We will process each report and may contact you, if more information is needed from you.
We request that you keep all communication regarding the vulnerability confidential.