Service
  1. Service
  2. Responsible Disclosure

Report a vulnerability in Jumbo's security system

At Jumbo the security of our systems is a top priority. No matter how much effort we put into system security, there might be vulnerabilities present. If you discover a vulnerability in the Jumbo security systems, we would like to know about it so we can take steps to address it. We would like to ask you to help us protect our business, clients and systems.

What we ask of you:

  • Report the vulnerability as quickly as possible to minimize the risk of hostile actors also finding this vulnerability and potentially taking advantage of it.
  • Report your findings in a manner that safeguards the confidentiality of the report in order to limit the risks of others gaining access to your findings and the information related thereto.
  • Provide sufficient information in your report for Jumbo to be able to reproduce and resolve the vulnerability . Usually the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
  • Don't reveal the vulnerability to anyone else.
  • Don't build your own backdoor in an information system with the intention of using it to demonstrate the vulnerability you discovered. This could cause additional damage and create unnecessary security risks for Jumbo.
  • Don't utilize a vulnerability further than necessary to establish its existence.
  • Don't copy, modify or delete data on the Jumbo system. An alternative for doing so is making a directory listing of the system.
  • Don't make changes to the Jumbo system.
  • Don't repeatedly gain access to the system or share access with others.
  • Don't use brute force attacks, attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties to gain access to the system.

What we promise you:

  • Jumbo will respond to your report within 5 business days with our evaluation of the report and an expected resolution date.
  • If you have followed the instructions above, Jumbo will not take any legal action against you concerning the report.
  • Jumbo will not disclose your personal details to any third parties without your explicit permission, unless it is necessary to comply with a legal obligation. Reporting under a pseudonym or anonymous is possible.
  • Jumbo will keep you informed of the progress in resolving the vulnerability.
  • Should Jumbo decide to make the information on the reported vulnerability public, we will mention you as the person who discovered the vulnerability if you wish to be mentioned as such.

Out of scope

The following type of issues/non-exploitable vulnerabilities are out of scope of the responsible disclosure program.
  • Reporting older version of any software without proof of concept or working exploit.
  • Local websites which are hosted by Jumbo Franchisees.

Have you discovered a vulnerability in our security system?

Have you discovered or do you suspect a vulnerability in Jumbo’s security system, please follow the next step. Submit your findings by using the button below. 

We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.