jewl.app believes in better security through openness. We welcome and value technical reports of vulnerabilities that could substantially affect the confidentiality or integrity of our services. If you believe that you have discovered such a vulnerability, please report it through a GitHub Security Advisory. The jewl.app team will work with you to investigate and resolve the issue. The first reporter of a security vulnerability is elligable to receive a monetary reward.

The jewl.app Security Bounty Program covers the solana program deployed at JEWLooNxKR6wjBrYVyu6Uea7ArFaq5CHiGjthssPpWQ and our main website hosted at https://jewl.app. Development environments and third-party services are not included in the security bounty program. We are mainly interested in technical vulnerabilities that would allow attackers to steal or freeze user funds, extract private information. or degrade the experience for genuine users. We are interested in real vulnerabilites, not in output of automated scanners or tools. We require all vulnerability reports to be accompanied by a proof-of-concept that demonstrates the vulnerabilty and the implications.

Below are some examples of in-scope vulnerabilities.

• Theft or freezing of funds
• Extraction of keys, secrets or tokens
• Sensitive information leaks
• Degradation of service
• Remote code execution

Below are some examples of out-of-scope vulnerabilities. If you feel any for the following items pose a real threat to jewl.app feel free to send us a report accompanied with a proof-of-concept that demonstrates the vulnerability.

• Lack of CSRF tokens
• Clickjacking and tabnagging issues
• Missing security headers
• Missing best practices
• Reports from automated tools or scans
• Reports of insecure ciphers
• Absence of rate limiting
• Outdated software
• Broken links

At jewl.app we believe vulnerability disclosure is the right approach to protect our users. When submitting a vulnerability report we ask you to not share any information about the vulnerability with other parties and/or the general public until jewl.app has investigated, resolved and disclosed the issue through a security advisory.

In return, jewl.app commits that security researchers reporting issues and vulnerabilities will be protected from legal liability, so long as they follow the disclosure guidelines and principles as outlined by this document.

In identifying potential vulnerabilities, we ask that all security researchers stick to the following principles.

When testing, we ask you to:

• Always use your own accounts, funds, information, etc. when researching vulnerabilities.
• Use the lowest amount of funds possible as lost funds cannot always be recovered.

Do not engage in testing that:

• Degrades jewl.app’s information systems and products for other users.
• Results in you, or any third party, accessing, storing, sharing or destroying jewl.app or user data
• May impact jewl.app users, such as denial of service, social engineering or spam.

Submission reports should include a detailed description of your discovery with clear, concise steps allowing us to reproduce the issue, and should contain a working proof-of-concept.

All reports should go through a GitHub Security Advisory unless instructed otherwise by jewl.app.

Low quality reports, such as those that include inadequate information to investigate, may incur significant delays in the disclosure process, which is in nobody’s interest. Please only submit one report per issue.

When submitting a vulnerability report you agree that you may not publicly disclose your findings or the contents of your submission to any third parties in any way without jewl.app's prior written approval.

After triage, we will send a quick acknowledgement and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it. You may receive updates with significant events such as the validation of the vulnerability, requests for additional information or your qualification for a reward.

Bug reporters allow jewl.app the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public.

Once the security issue is fixed or mitigated, the jewl.app team will contact you. Prior to any public announcement of a vulnerability, and to the extent permitted by the law, we will share the draft description of the vulnerability with you. jewl.app will also provide you with a reasonable amount of time to prepare a public disclosure of the vulnerability, if you so choose.

You may be eligible to receive a reward if:

• You are the first person to submit a given vulnerability.
• The vulnerability is determined to be a valid security issue by the jewl.app.
• You have complied with the jewl.app Security Bounty Program policy and guidelines.

The decision to grant a reward for the discovery of a valid security issue is at jewl.app's sole discretion. The amount of each bounty is based on the classification and sensitivity of the data impacted, the completeness of your Submission report, ease of exploit and overall risk for jewl.app's users and brand.

Bounties will be paid directly to the researcher in SOL.

You will be responsible for any tax implications related to bounty payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.

To be eligible for a reward, you must not:

• Be a resident of, or make your vulnerability submission from, a country against which the Netherlands has issued export sanctions or other trade restrictions.
• Be in violation of any national, state, or local law or regulation.
• Be employed by jewl.app or its subsidiaries or affiliates.
• Be an immediate family member of a person employed by jewl.app or its subsidiaries or affiliates.
• Be less than 18 years of age. If you are under 18 years old, or considered a minor in your place of residence, you must get your parents’ or legal guardian’s permission prior to participating in the program.

Violations of this terms can result in a warning and/or ban of this Security Bounty Program.

• Be kind.
• Be respectful and professional in your communications and behavior.
• Hate speech, profanity, or any aggressive threats will not be tolerated in any form.
• Only contact the jewl.app team through the GitHub Security Advisory.

We may update our Security Bounty Program from time to time. Thus, you are advised to review this page periodically for any changes. We will notify you of any changes by posting the new Security Bounty Program on this page. These changes are effective immediately after they are posted on this page.

If you have any questions or suggestions about our Security Bounty Program, do not hesitate to contact us through any of our contact channels.

Copyright © 2023 jewl.app