Bug Bounty Policy

Purpose

The purpose of this policy is to define JandaSec’s stance on bug bounty programs and engagement with unsolicited vulnerability reports from external parties or self-described “security researchers.”

Policy Statement

JandaSec currently does not operate a formal bug bounty program and will not engage with unsolicited reports from independent “security researchers” or individuals seeking compensation for vulnerabilities discovered in our systems. Our policy at this time is to ignore such contacts where compensation is required.

However, JandaSec is open to clients, colleagues and known associates to report valid issues to us out of a spirit of transparency, security best practice and openness, but not for any financial compensation.

Should independent “security researchers” unknown to JandaSec wish to disclose issues to us in this manner then we are open to receiving this feedback informally, but we will not engage in any legally binding or financial commitment nor do we commit to any official acknowledgement or communication.

Rationale

There are several compelling reasons for this policy:

Resource Constraints

Managing a bug bounty program requires significant resources, including dedicated security staff, tools, and processes to validate, prioritise, and remediate reported vulnerabilities. JandaSec must allocate its resources efficiently and focus on clients and our internal established vulnerability management processes that are more suitable for our size and operational scope.

Risk of Exploitation

Engaging with unsolicited vulnerability reports can expose the company to risks, such as extortion attempts, data breaches, or the inadvertent sharing of sensitive information with untrusted individuals. Without a formalised program and vetting process, the potential for misuse or mishandling of reported vulnerabilities increases.

Lack of Control

Bug bounty programs, particularly those open to the general public, can lead to an influx of low-quality or duplicate reports, which can overwhelm internal teams and divert attention from critical security tasks. This is particularly challenging for SMBs, which may not have the capacity to manage such a volume of reports effectively.

Interacting with unknown and unverified individuals who present themselves as “security researchers” can create legal and compliance challenges. Without proper contractual agreements and clear guidelines, the company may inadvertently expose itself to legal liabilities or breaches of regulatory requirements.

Best Practice

While bug bounty programs are a common practice among large enterprises with extensive security resources, they are not typically recommended for SMBs without the necessary infrastructure to manage them effectively. Our current approach aligns with industry best practices for companies of our size and resources.

security.txt

JandaSec DOES support the security.txt proposed standard both in principle and in practice. Whilst our policy as outlined above restricts (for the rationale provided) what we can offer in terms of a Bug Bounty Policy we do support this as a proposed standard for the wider online community and for that reason have defined our own security.txt configuration, which essentially links back to this policy.

This has been digitally signed with OpenPGP using a strong ECC (Elliptic Curve Cryptography) key, to proove authenticity, which is in security.txt.asc. The PGP Public key is available here.

As per the configuration in our security.txt file any disclosure made to us under the conditions of this policy, must be done via our secure SendSafely portal.

Future Considerations

JandaSec recognises that security is an evolving field, and our position on bug bounty programs may change as our business grows and our security capabilities expand. We will continue to monitor industry trends and reassess our policy periodically. However, at this time, our focus remains on our work with our clients, continuously enhancing our internal security practices and formal internal vulnerability management processes.

Conclusion

In conclusion, JandaSec will not engage with unsolicited vulnerability reports or operate a bug bounty program that requires any legal or financial commitment, at this time. This decision is based on careful consideration of our resources, risks, and best practices for SMBs. We ask that individuals refrain from contacting the company with unsolicited vulnerability reports who are unknown to us and who require legal commitment or financial compensation. Any changes to this policy will be communicated in future updates.