Welcome to JPMorgan Chase Responsible Disclosure
Responsible Disclosure Policy:
This page is for security researchers interested in reporting application security vulnerabilities.
If you have reported an issue determined to be within program scope, is determined to be a valid security issue, and you have followed program guidelines, the JPMorgan Chase Responsible Disclosure Program will recognize your finding and you will be allowed to disclose the vulnerability after a fix has been issued.
Typical Vulnerabilities Accepted:
- OWASP Top 10 vulnerability categories
- Other vulnerabilities with demonstrated impact
Typical Out of Scope:
- Theoretical vulnerabilities
- Informational disclosure of non-sensitive data
- Low impact session management issues
- Self XSS (user defined payload)
For a full list of program scope please visit the JPMorgan Chase Responsible Disclosure details page.
Responsible Disclosure Guidelines:
- Adhere to all legal terms and conditions outlined at ResponsibleDisclosure.JPMorganChase.com
- Work directly with the JPMorgan Chase Responsible Disclosure Program on vulnerability submissions
- Provide detailed description of a proof of concept to detail reproduction of vulnerabilities
- Do not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems
- Do not engage in social engineering or phishing of customers or employees
- Do not request compensation for time and materials or vulnerabilities discovered