Jenkins Bug Bounty Program

About our project

Jenkins is the leading open source automation server supported by a large and growing community of developers, testers, designers and other people interested in continuous integration, continuous delivery and modern software delivery practices. Built on the Java Virtual Machine (JVM), it provides more than 2,000 plugins that extend Jenkins to automate with practically any technology software delivery teams use. In 2022, Jenkins reached 300,000 known installations making it the most widely deployed automation server.

Jenkins is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery.

It supports most of the version control tools and most of the build tools, as well as arbitrary shell scripts and Windows batch commands.

About the scope

This program is limited to a specific list of assets. Your tests must be limited to :

• Jenkins Core and its main components
• A selection of plugins
• Use the latest versions of the different component or the latest master/main branch on GitHub
• Pay attention on the latest weekly releases of the Jenkins core

Reports about other assets won't be eligible for reward. If you find something outside of the scope, feel free to report them through https://www.jenkins.io/security/reporting/

Documentation

You may find our project documentation here.

A docker version is available here.

Program rules

About report's content

To be eligible, your reports must include the hereafter information :

• General description of the issue
• Details about the impacted function and specific conditions to be met (ideally, including the vulnerable code snippet)
• Impacted version (for Core and the minimal set of plugins and their versions)
• A step by step proof of concept allowing to reliably reproduce the issue (be explicit about the system requirements / configuration)
• Recommendations and fix suggestions

A detailed template will be provided automatically when submitting a report, please stick to it. This will help us ensure a smooth and swift processing of your reports.

Mind that reports that do not follow the template’s guidelines won’t be eligible for reward. Abuse may lead to further sanctions (e.g. spamming or repeated submission of invalid reports).

Testing Policy, Responsible Disclosure

Please adhere to the following rules while performing research on this program:

• As the project infrastructure of the project is out of scope, attacks on the provided servers/services are strictly forbidden
• All reports must be validated manually, submission from automated tools won't be considered and may lead to sanctions (code analysis tools, AI, …)
• Targeting other users' instances is forbidden (and they are out of scope), only test against your own
• DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
• Same with secrets, keys and credentials
• No vulnerability disclosure, full, partial or otherwise, is allowed without prior agreement from us
• Please avoid submitting security issues on our repositories before reporting it to this program, your report might be considered as a duplicate if a related submission already exists on our repositories
• The following topics won’t be considered as a valid finding eligible for reward nonetheless, you’re welcome to suggest improvements about it through our repositories but not our bug bounty program :
  • Code improvements/code quality issues without security impact
  • Insecure default/basic configurations
  • Mistakes or lack of precision in our documentation

Furthermore, reports about behaviours that relies on leveraging a legitimate access as an administrator won't be considered for reward. Being administrator of a Jenkins realm grants extended rights which could be abused as for any application. Due to our threat model and context of use we won't consider reports that leverage legitimate administrator access under the assumption that the administrator may have malicious intent and could abuse his level of rights.

Reward Eligibility

We are happy to thank everyone who submits valid reports which help us improve the security, however only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability
• You must not break any of the testing policy rules listed above
• You must not be a maintainer of the target component (exception for Jenkins Core)
• You must not be a member of the Jenkins Security team
• The vulnerability must be a qualifying vulnerability
• The report must contain the following elements:
  • Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users, and remediation advice on fixing the vulnerability
  • Proof of exploitation: screenshots demonstrating the exploit was performed, and showing the final impact
  • Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
• Identical vulnerabilities present in different versions will be considered as a single issue/will warrant a single reward
• Multiple vulnerabilities caused by one underlying issue will be considered as a single issue/will warrant a single reward

Reward amounts are based on:

• Reward grid of the report's scope
• CVSS scoring and actual business impact of the vulnerability upon performing risk analysis