Vulnerability Disclosure Program

Secure Jupiter Money by responsibly reporting vulnerabilities and earn recognition.

Submit a Report

Scope
- 1.1 In-Scope Targets
  - Mobile Apps: Jupiter Money Android & iOS (latest public versions).
  - Web & APIs: Any host or subdomain under *.jupiter.money.
  - Business-Logic Vulnerabilities: Unintended financial flows or policy bypasses.
  If unsure, email security@jupiter.money before testing.
- 1.2 What We’re Looking For
  Technical Vulnerabilities (examples)
  - Authentication/authorization flaws (IDOR, privilege escalation)
  - Injection: SQL/NoSQL, XSS, CSRF
  - SSRF, RCE, path traversal, deserialization
  - Sensitive data exposure (PII/tokens/keys)
  - Security misconfigurations with impact
  Business-Logic Vulnerabilities (examples)
  - Bypassing balance/limit checks; unintended credits/debits
  - Step-up/OTP/KYC bypass
  - Rewards/referrals abuse
  - Race conditions: double-credit/debit
  - Order-of-operations flaws
Out of Scope (Not Authorized)
- Social engineering or phishing
- Denial of Service (DoS/DDoS)
- Physical security attacks
- “Assumed admin” attacks
- Best-practice only issues without impact
- Third-party systems not under our control
- Automated bulk scanning or spam
- Outdated OS/app versions or non-trusted MITM
- Duplicate or already known issues
Provide exploit chain for “best-practice only” issues with real impact.
Rules of Engagement
Dos
- Use your own accounts; minimize non-public data access.
- Stop at PoC; do not pivot or persist.
- Respect rate limits; minimize traffic.
- Encrypt sensitive details with our PGP key.
- Delete inadvertently accessed data and inform us.
Don’ts
- Access/modify others’ data or disrupt services.
- Perform DoS, social engineering, or physical attacks.
- Extort, demand payment, or threaten disclosure.
Report Submission

Submit a Report

Contact & Support

Email: security@jupiter.money

Get Support