Introduction

Maintaining consistent and effective website security is a community effort. Jimdo GmbH looks forward to working with the security community to find potential vulnerabilities in order to keep our business and users safe. We provide products and services to over 15 million websites around the world and the security of our websites is of the utmost importance to us and our users. In order to continually test and improve the quality of our services, while recognizing the important work of Security Researchers (“Researchers”), Jimdo offers this Vulnerability Disclosure Program (“Program”). By participating in this program, you, as a Researcher agree to be bound by these Rules.

Response Targets

Jimdo GmbH will make a best effort to meet the following SLAs for hackers participating in our program:

We appreciate your patience as we work as fast as possible to evaluate and classify all reported vulnerabilities.

Rewards

This program awards reputation points for valid in-scope submissions. This program currently does not provide monetary rewards. We love to acknowledge researchers who submit valid security reports and work with us, and while we do not have a bounty program, Jimdo may at its sole discretion, donate swag as a thank you to eligible Researchers of qualifying vulnerabilities that correspond to these Program Rules. N.B. We allow one swag item per researcher. No correspondence concerning the individual decision in each case will be entered into, and there is no right of appeal.

Testing Requirements

• Where possible, register accounts using your <username>@wearehackerone.com addresses
• Include the following custom HTTP header in all your traffic: X-Bug-Bounty:HackerOne-<username>
• Limit your traffic to 5 requests per second

Program Rules

• Please provide detailed reports with reproducible steps. Submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• Vulnerabilities eligible for reward or recognition must be new and previously unreported. In the event of duplicate vulnerability submissions, only the earliest submission with sufficient actionable information will be considered for a reward.
• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report. Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• When researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect our users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken.
• Please do not carry out any actions that can cause instability or meaningful changes to our other customers or systems. Whilst we want to address DoS vulnerabilities, please do not test for it. However, if you do encounter a likely scenario, you can file a report and we will assess it on a case by case basis, subject to Jimdo’s sole discretion.
• Do not test against any contact forms, unless the form is part of your own Jimdo site.
• Scanning of any of the domains that fall outside the scope of this Program and that are listed explicitly below, is prohibited.
• Jimdo may modify these Program Rules or terminate this Program at any time. Program Rule changes will not apply retroactively.

Scope / Out of scope vulnerabilities / known issues

Any vulnerability, design or implementation issue that is reproducible, substantially affects the security of Jimdo users and corresponds to the Rules of this Program is likely to be in scope for the program. Please report in scope vulnerabilities only and review the domains listed under "Scope" below.

A Note About Stored XSS

Jimdo offers customers a way to build their own website. This does also include ways of adding custom JavaScript code to their website (i.e. through the website head or by manipulating the GraphQL queries directly). Since this is intended behavior, all reports that require a user to place a Stored XSS payload within their own page to exploit anonymous users visiting the website, is considered to be Out of Scope and will be closed accordingly.

The following vulnerability types have already been reported and triaged, and/or are considered out of the scope of this Program (either ineligible or false positives):

• Email-based user enumerations
• Clickjacking on pages with no sensitive actions.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions (with the exception of cms.e.jimdo.com (and *.jimdofree.com).
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or bruteforce issues on non-authentication endpoints
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version.
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Tabnabbing.
• Open redirect - unless an additional security impact can be demonstrated.
• Issues that require unlikely user interaction.

Safe Harbor

Please be aware that certain methods of testing our systems may be classified as a criminal offence by the authorities in certain jurisdictions and we ask you to ensure that you do not violate any laws (including at least German and European law and any laws applicable in your country).Our Program Rules cannot and do not supersede any applicable laws. However, we are not going to report you to the authorities, if you obey our Program Rules and we are not required to do so by law. The Researcher in submitting a vulnerability, represents and warrants that all submissions are their original work and that they own all right, title and interest therein and thereto. The Researcher in submitting a vulnerability, grants Jimdo and its affiliates a worldwide, perpetual, irrevocable, non-exclusive, transferable, fully paid and royalty-free license under any intellectual property rights or other rights to use, copy, modify, create derivative works based upon and otherwise exploit the materials submitted by the Researcher.

Data Protection

Researchers' data will be collected and processed via the HackerOne platform, to the extent necessary to review their Submission and to notify the Researcher of the outcome. It will not be used for other purposes. The Researchers’ data will not be archived, nor will it be passed on to third parties and it will be destroyed after the vulnerability submitted by the Researcher has been evaluated by Jimdo any applicable Reward has been granted to the respective Researcher. The responsible body within the meaning of the German Federal Data Protection Act is Jimdo GmbH, Stresemannstrasse 375, 22761 Hamburg, Germany. [email protected]

Thank you for helping to keep Jimdo and our users safe!