Rules of Engagement
- No Denial of Service testing
- No Physical or Social Engineering
- No testing of Third-party Services
- No uploading of any vulnerability or client-related content to third-party utilities (e.g. Github, DropBox, YouTube)
- All attack payload data must use professional language
- If able to gain access to a system, accounts, users, or user data, stop at point of recognition and report. Do not dive deeper to determine how much more is accessible.
- When documenting a vulnerability, if a vulnerability is public, please make sure it is discreet and doesn't identify the client.
Low Impact Vulnerabilities - Out of Scope
The following vulnerabilities are considered too low of an impact to the client and would be marked as Out of Scope if submitted:
- Google Maps API Keys
- Account/e-mail enumeration using brute-force attacks
- Account/e-mail enumeration that does not require brute-force attacks may be considered VALID upon approval
- Any low impact issues related to session management (i.e. concurrent sessions, session expiration, password reset/change logout, etc.)
- Bypassing content restrictions in uploading a file without proving the file was received
- Clickjacking/UI redressing
- Client-side application/browser autocomplete or saved password/credentials
- Descriptive or verbose error pages without proof of exploitability or obtaining sensitive information
- Sensitivity of the information will be determined by ResponsibleDisclosure.JPMorganChase.com
- Directory structure enumeration (unless the fact reveals exceptionally useful information)
- Incomplete or missing SPF/DMARC/DKIM records
- Issues related to password/credential strength, length, lock outs, or lack of brute-force/rate limiting protections
- Account compromises (especially admin) as a result of these issues will likely be considered VALID
- Lack of SSL or Mixed content
- Leaking Session Cookies, User Credentials, or other sensitive data will be reviewed on a case by case basis
- If leaking of sensitive data requires MiTM positioning to exploit, it will be considered out of scope
- Login/Logout/Unauthenticated/Low-impact CSRF
- CSRF Vulnerabilities may be acceptable if they are of higher impact. The impact will be determined by ResponsibleDisclosure.JPMorganChase.com
- Low impact Information disclosures (including Software version disclosure)
- Missing Cookie flags
- Missing/Enabled HTTP Headers/Methods which do not lead directly to a security vulnerability
- Reflected file download attacks (RFD)
- SSL/TLS best practices that do not contain a fully functional proof of concept
- Heartbleed requires a valid POC which shows sensitive data leakage. The sensitivity of the data will be determined by ResponsibleDisclosure.JPMorganChase.com
- POODLE requires a POC demonstrating a downgrade, not just the result of SSLScan or Nmap scan
- URL Redirection
- Use of a known-vulnerable library which leads to a low-impact vulnerability (i.e. jQuery outdated version leads to low impact XSS)
- Valid bugs that are not directly related to the security posture of the client
- Vulnerabilities affecting users of outdated browsers, plugins or platforms
- Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected
- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)
- Self-XSS for a Persistent/Stored XSS will be considered due to the possibility that an Admin/superuser may stumble across and execute a payload
- Any type of XSS that requires a victim to press an unlikely key combination (i.e. alt+shift+x for payload execution)