Skip to content

Jobber Bug Bounty Program

HALL OF FAME

Program Guidelines

To submit Bug Bounty Reports use the form available at: https://forms.gle/hCqCvTsZPrH1ToJH9

Introduction

Jobber is committed to customer safety, security, and privacy. We’re confident in the security of our systems and are now offering a private bug bounty program to enhance our protection. If you (“you”, or “researcher”) discover a potential security bug (a “Bug”) affecting Jobber, you may submit it for review (each a “Bug Bounty Submission”). If it meets our criteria, we’ll reward you with bounties (a “Bounty”) determined at our discretion.

The Jobber Bug Bounty Program (the “Program”) is not a competition but a reward program, with all decisions by Jobber being final. These Program Terms and Conditions (the “Program Terms”) are part of an agreement between you and Jobber, supplemented by the Jobber Terms of Service and Privacy Policy. In the event any conflict between the Terms of Service and the Program Terms, the Program Terms will prevail to the extent of such conflict.

For any questions about the Program, contact us at [email protected]. We look forward to your participation.

GENERAL GUIDELINES:
  • Vulnerability reports which do not include manual validation – for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability – will be rejected.
  • Include clear steps to reproduce and verify that you are able to demonstrate a working proof of concept.
  • Submissions without sufficient details will be rejected. Repeated low-effort submissions will disqualify you from further participation in the Program.
How much is a bug worth?

Below is our Bounty payout structure, which is based on the severity and impact of Bugs.

SeverityExamples (Non-Exhaustive)Payout (CAD)
HighRemote code execution
Authentication bypass
Local Privilege Escalation (non-admin to admin)
$500
MediumPotential for sensitive information (PII) disclosure
Cross-site scripting on authenticated pages
$300
LowCross-site scripting (non authenticated pages)
Cross-site request forgery
Third-party security bugs that affect Jobber
$100

Depending on the detail of your submission, we may award a Bounty of varying amounts. Well-written reports and functional exploits are more likely to result in Bounties.

Jobber’s determinations with respect to the eligibility of any Bug submitted via the Program and amounts paid as Bounty for such Bug are final and binding. 

SUBMISSION ELIGIBILITY AND PROGRAM SCOPE

To ensure that Bug Bounty Submission and payouts are fair and relevant, the following requirements and guidelines apply to all researchers submitting reports:

  • Submit one vulnerability report per underlying issue.
  • All issues must be new discoveries. Rewards will be provided only to the first researcher who submits a particular security Bug.
  • The researcher submitting the Bug must not currently be nor have been engaged by Jobber as an employee, contractor, consultant, or similar relationship within six months prior to the submission.
  • The researcher submitting the Bug must not be the author of the vulnerable code.
  • The researcher must not exploit or disclose the Bug publicly before a fix is released and Jobber gives permission in writing.

Bug Bounty Submissions pertaining to the following domain structure, “https://______.getjobber.com” and our iOS and Android mobile app are deemed “in scope” and potentially eligible for Bounties pursuant to the Program, subject to the additional requirements set forth in these Program Terms:

Examples:

  • secure.getjobber.com
  • clienthub.getjobber.com
  • developer.getjobber.com

Bug Bounty Submissions are considered out of scope and ineligible for payouts if they involve:

  • Domains not listed in the “in scope” list above.
  • Jobber marketing site hosted at https://www.getjobber.com or https://getjobber.com
  • Domains hosted by third-party providers like Zendesk/Flywheel
  • Staging/development environments, unless stated in the “in scope” list above
  • Attempts to access private customer information or accounts
  • Social engineering, including phishing against employees
  • Efforts to take over social media pages
  • Attempts to access offices, employee devices, or test physical security controls
  • Volumetric testing, denial of service, or similar.
  • Spam and flooding. 
  • Rate limiting and brute force.

Note that the following URLs are out of scope for our program:

  • https://www.getjobber.com
  • https://getjobber.com
  • share.getjobber.com
  • try.getjobber.com

Bug Bounty Submissions pertaining to the following issues are not eligible for Bounties pursuant to the Program:

  • Anything not directly exploitable, such as: security best practice violations, email/username enumeration, and missing cookie flags.
  • Attacks where the impact is confined to the attacking user, meaning the effects are limited solely to the individual who initiates the attack (known as self-attacks).
  • Vulnerabilities that require an already compromised system, such as jailbreaking a mobile device, a compromised email account, etc.
  • Credentials obtained from external data services or breach data aggregators, even if legitimate, are not eligible. Submissions are only accepted if evidence is provided that the data was sourced directly from a Jobber system or a partner, not from unrelated third-party websites.
  • Email/Username enumeration without a specific, demonstrable impact.
  • Anything SSL (related attacks, insecure cipher suites, etc.).
  • Password complexity related vulnerabilities.
  • Pre-authentication open redirects.
  • Denial of Service attacks and Distributed Denial of Service attacks.
  • Incomplete or missing SPF/DKIM/DMARC records.
  • Physical or social engineering attacks.
  • Recently disclosed 0-day vulnerabilities – please give us two weeks to patch our systems before reporting these types of issues.

SUBMISSIONS

If you believe you’ve discovered an eligible Bug, please submit through this form: https://forms.gle/hCqCvTsZPrH1ToJH9 

Please note:

  • Any relevant encrypted attachments must be encrypted using our GPG key: https://getjobber.com/security/jobberpgpkey.txt (using our GPG Key).
  • There is no limit to the number of Bounties that can be earned, subject to these Program Terms.
  • Submissions must include your legal name and be your own work.
  • Incomplete or ineligible submissions, or those involving third-party content without permission, will not be considered for Bounties.
  • We are not responsible for unreceived Bug Bounty Submissions.
  • Bugs for products or services not covered by the Program at the time of submission will not be eligible for Bounty payments, as determined in our sole discretion.
  • By making a Bug Bounty Submission, you acknowledge that a Bounty is not guaranteed and that you have the legal rights to submit the Bug under the Program Terms.

Confidentiality

Any information about Jobber, its affiliates, or employees that you receive through the Program, including your Bug Bounty Submissions, shall be considered “Confidential Information”, as that term is defined under the “CONFIDENTIALITY OF BUG BOUNTY SUBMISSIONS/ RESPONSIBLE DISCLOSURE” heading of Section 2 below; for additional information regarding Confidential Information, please refer to said section. Please treat any such information with the utmost confidentiality, and please note that making any disclosures related to the same may disqualify you from receiving a Bounty and/or participating in the Program. 

Program Terms and Conditions

Submissions

By making any Bug Bounty Submission, you represent and warrant that (1) you have the legal right to submit the Bug Bounty Submission to us and to grant us the rights set forth in these Program Terms and (2) the Bug Bounty Submission is your own work and does not contain content owned by a third-party (other than such third-party content that you have valid permission to provide to us pursuant to these Program Terms). Bug Bounty Submissions that do not meet the minimum bar described above are considered incomplete and not eligible for Bounties. 

Bugs must be new discoveries in order to be eligible for a Bounty. Bounties will be provided only to the first eligible researcher to submit a particular Bug. Multiple vulnerabilities caused by one underlying issue will be eligible for only one Bounty except as determined otherwise by Jobber in our sole discretion. You can earn Bounties for additional Bug Bounty Submissions for an unlimited number of times, subject to the limitations in these Program Terms.

We are not responsible for submissions that we do not receive regardless of the reason. If you submit a Bug for a product or service that is not covered by the Program at the time you submitted it, you will not be eligible to receive Bounty payments if the product or service is later added to the Program.

Changes to these program terms

We reserve the right to change these Program Terms, including the Program rules, procedures, benefits or conditions of participation, in whole or in part, at any time, with or without notice. Your participation in the Program after changes are effective constitutes your acceptance of these Program Terms as updated. If you do not agree to any changes made to these Program Terms, you may not participate in the Program. 

We may cancel the Program at any time, and the decision whether to pay particular Bounties remains entirely within Jobber’s discretion as described herein. 

Researcher Eligibility

The Program only applies to Bug Bounty Submissions made in accordance with these Program Terms on or after September 1, 2021. The Program is void where prohibited, and these Program Terms are subject to Canadian law, and there may be additional restrictions on participation in the Program under your local law.

To be eligible to participate in the Program, you must be at least 18 years old prior to participating in this Program, and you must be either (1) an individual researcher participating in the Program in your own individual capacity or (2) an individual participating on behalf of an organization that you work for that permits you to participate in the Program. You are solely responsible for reviewing and understanding your organization’s rules about whether and when you may participate in the Program, and you may not participate in the Program if you are not sure such participation is permitted. If you are participating in violation of your employer’s policies, you may be disqualified from participating or receiving any Bounty.

You may not participate in the Program if:

  • You are under the age of 18;
  • Your organization does not allow you to participate in these types of programs;
  • You are a public sector employee (government and/or education) and have not obtained permission from your ethics compliance officer to participate in the Program;
  • You are currently an employee, contractor, or consultant of Jobber or any Jobber subsidiary or affiliate, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee, contractor, or consultant;
  • Within one year prior to your Bug Bounty Submission via the Program you were (or your immediate family member or household member was) an employee, contractor, or consultant of Jobber or any Jobber subsidiary or affiliate;
  • You are the author, or were otherwise involved in the development of, any vulnerable code that is the subject of your submission; 
  • You are or were involved in any part of the development, administration, and/or execution of this Program; or
  • You are a resident of any country subject to sanctions by the United States and/or Canada that prohibit or restrict the payment to you of any applicable Bounty, or of any other country that does not allow participation in this type of program.

If: (i) you do not meet the eligibility requirements above or any other requirements in these Program Terms (including any submission-specific requirements set out in the following section); (ii) you breach any of these Program Terms or any other agreements you have with Jobber or its subsidiaries or affiliates; or (iii) we determine that your participation in the Program could adversely impact us, our affiliates, or any of our customers, employees or agents, we, in our sole discretion, may remove you from the Program and disqualify you from receiving any benefit of the Program.

How we pay bounties

Subject to the following parameters and as otherwise set forth in these Program Terms, payment of Bounties will be made for valid and eligible Bug Bounty Submissions once we have fixed the Bug in question (or, in very specific cases, once we have decided not to fix it). Our desired timeframe to remediate each valid submission is within 90 days following receipt of a valid Bug Bounty Submission, but this process may require additional time for a variety of reasons. All decisions we make pertaining to the availability of any Bounties are final and binding.

If we determine that your Bug Bounty Submission is eligible for a Bounty, we will provide you with the necessary paperwork for payment processing. Before receiving a Bounty, you may be required to complete and submit appropriate tax forms or other information. We cannot process payment until you have completed and submitted the fully executed required documentation. Jobber will make commercially reasonable efforts to provide a payout for each qualifying Bug within a reasonable time from our remediation of the applicable issue (or our determination not to remediate), provided that we have determined that the applicable Bug Bounty Submission remains eligible for receipt of the Bounty.

We reserve the right to select reasonable payment methods for Bounties. At the time of posting of these Program Terms, Bounty payments are made via PayPal. If you are unable or unwilling to receive your Bounty payment via Jobber’s selected method of payment and are subject to these Program Terms, we reserve the right to rescind or modify it as appropriate. Please note that Bounty payouts are subject to the taxes of your country of residence and citizenship. You are responsible for any tax implications.

License; Right to Submit

You retain ownership of the content of your Bug Bounty Submissions. However, by choosing to submit any Bug Bounty Submissions, you grant Jobber a non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the content of your Bug Bounty Submission, including any intellectual property rights associated with that content. This license permits us to: (i) use, review, assess, test, and otherwise analyze your Submission; (ii) reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and (iii) display or otherwise present your Bug Bounty Submission and all of its content in connection with the marketing, sale, or promotion of this Program or our other programs or activities in any media or format. You agree to sign any documentation necessary for Jobber or our designees to confirm the rights granted under this licensee, and you agree and acknowledge that we may have developed content similar to your Bug Bounty Submission. 

CONFIDENTIALITY OF BUG BOUNTY SUBMISSIONS/ RESPONSIBLE DISCLOSURE

Information you receive or collect about Jobber or its affiliates or employees through the Program, including your Bug Bounty Submissions, whether in oral, visual, written or electronic format, may be deemed proprietary and confidential (“Confidential Information”). For the purposes of the Program, information and/or material shall be deemed “Confidential Information” if such information and/or material is otherwise not generally available to the public, or given the nature of the information or material, a reasonable person would consider such information and/or material “confidential” or “proprietary.”

Confidential Information must be kept confidential and only used in connection with the Program. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your Bug Bounty Submission without Jobber’s prior written consent.

At Jobber, safeguarding the security of our customers is of utmost importance. We highly value your efforts in identifying potential vulnerabilities within our systems. While we diligently work to address each submitted vulnerability, we require that you treat your Bug Bounty Submissions with the utmost confidentiality. Disclosing Bugs or potential bugs, or any other content of a Bug Bounty Submission, in violation of the foregoing provisions will disqualify you from receiving a Bounty and from participating in the Program in the future.

YOUR PERSONAL INFORMATION

Our collection and use of your information, including personal information, in connection with your use of the Program is subject to our Privacy Policy.

Prohibited Conduct

You must not knowingly or intentionally access or acquire the personal information of any Jobber customer or employee. In the event it is determined you knowingly or intentionally accessed the personal information of any Jobber customer or employee, you will become immediately ineligible to participate in this Program. In the event you inadvertently access or acquire the personal or other sensitive information of any Jobber customer or employee, you must immediately cease all activity and notify us. 

In connection with your participation in the Program, you agree that you will not:

  • Make any threats, attempts at harassment, coercion, or extortion of Jobber employees or customers.
  • Do anything that violates applicable law.
  • Infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.
  • Send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
  • Share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).
  • Engage in activity that is harmful to Jobber, you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).
  • Help others break these Program Terms.

Safe Harbour

Activities conducted in a manner consistent with these Program Terms will be considered authorized conduct, and we will not initiate legal action against you for research and vulnerability disclosure activities conducted in accordance with these Program Terms, or for accidental violations committed in a good-faith attempt to comply with these Program Terms. If legal action is initiated by a third-party against you in connection with activities validly conducted under these Program Terms, we will take reasonable steps to make it known that your actions were conducted in compliance with these Program Terms. You are required, at all times, to comply with all applicable laws and not to disrupt any systems or data beyond activities expressly authorized by these Program Terms.

Please note, however, that we cannot bind third-parties with these safe harbor provisions, and if your security research involves systems, networks, products, or services of a third-party, that party could pursue legal action against you. We do not authorize research activities in the name of any other entities, and we do not offer to defend, indemnify, or otherwise protect against any third-party actions based on such activities.

We reserve the right to determine in our sole discretion whether any conduct violates these Program Terms and whether any violations were accidental. If at any time you have concerns or are uncertain whether your security research is consistent with these Program Terms, please email us at [email protected] with your questions.

NO WARRANTIES

JOBBER AND OUR RESELLERS, DISTRIBUTORS, AGENTS, AND AFFILIATES MAKE NO WARRANTIES, EXPRESS OR IMPLIED, OR GUARANTEES WITH RESPECT TO THE PROGRAM. YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER APPLICABLE LOCAL LAW, WE EXCLUDE ALL IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW LIMITING THE FOREGOING EXCLUSIONS. NOTHING IN THESE PROGRAM TERMS IS INTENDED TO AFFECT THOSE RIGHTS TO THE EXTENT APPLICABLE.

INDEMNIFICATION

YOU SHALL INDEMNIFY AND HOLD JOBBER AND ITS SUBSIDIARIES, AFFILIATES, OFFICERS, AGENTS, AND EMPLOYEES, HARMLESS FROM ALL CLAIMS, ACTIONS, PROCEEDINGS, DEMANDS, DAMAGES, LOSSES, COSTS, AND EXPENSES (INCLUDING REASONABLE ATTORNEYS’ FEES), INCURRED IN CONNECTION WITH ANY MATERIALS SUBMITTED, POSTED, TRANSMITTED OR MADE AVAILABLE BY YOU THROUGH PARTICIPATION IN THE PROGRAM (INCLUDING ANY BUG BOUNTY SUBMISSIONS YOU MAKE) AND/OR ANY VIOLATION BY YOU OF THESE PROGRAM TERMS, THE RIGHTS OF ANY THIRD-PARTY, OR ANY APPLICABLE LAW OR REGULATION. This provision does not require you to indemnify Jobber for any unconscionable commercial practice by Jobber or for Jobber’s fraud, deception, false promise, misrepresentation or concealment, or suppression or omission of any material fact in connection with the Program.

LIMITATION OF LIABILITY

UNDER NO CIRCUMSTANCES SHALL JOBBER BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR OTHER DAMAGES WHATSOEVER IN CONNECTION WITH THE PROGRAM. THESE LIMITATIONS SHALL APPLY EVEN IF JOBBER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED HEREIN, JOBBER’S LIABILITY TO YOU FOR ANY DAMAGES ARISING FROM OR RELATED TO THESE PROGRAM TERMS (FOR ANY CAUSE WHATSOEVER AND REGARDLESS OF THE FORM OF THE ACTION), WILL AT ALL TIMES BE LIMITED TO THE GREATER OF (A) ONE HUNDRED DOLLARS ($100) OR (B) THE AGGREGATE AMOUNT OF ANY BOUNTIES YOU HAVE RECEIVED PURSUANT TO THE PROGRAM IN THE PRIOR 12 MONTHS (IF ANY). THE FOREGOING LIMITATIONS SHALL APPLY TO THE FULLEST EXTENSION PERMITTED BY LAW IN THE APPLICABLE JURISDICTION.

ARBITRATION OF DISPUTES

To the extent permissible under applicable law, any disputes between you and Jobber are subject to the provisions of our Terms of Service, including the Dispute Resolution section (the “Arbitration Agreement”). By participating in the Program, you agree to the dispute resolution provisions set forth in the Arbitration Agreement. Unless you opt out of the Arbitration Agreement as provided in the Terms of Service, (1) you will only be permitted to pursue claims and seek relief against Jobber on an individual basis, not as a plaintiff or class member in any class or representative action or proceeding, and (2) you are waiving your right to seek relief in a court of law and to have a jury trial on your claims.

Choice of Law

Any dispute or claim relating to these Program Terms or your participation in the Program will be governed and interpreted by and under the laws of Alberta, Canada, without giving effect to any principles that provide for the application of the law of any other jurisdiction. The United Nations Convention on Contracts for the International Sale of Goods is expressly excluded from these Program Terms.

ADDITIONAL TERMS

Neither your participation in the Program nor anything contained in these Program Terms shall be construed as creating or implying a joint venture, partnership, agency, or employment relationship between you and Jobber or its affiliates. These Program Terms, together with the Jobber Terms of Service, Privacy Policy (and related jurisdiction-specific privacy notices), the Payments Terms of Service, and any other documents or guidelines incorporated by reference herein or therein, constitutes the entire agreement between the parties relating to the Program and all related activities. These Program Terms shall not be modified except by a new posting of these Program Terms by Jobber. If any part of these Program Terms is held to be unlawful, void, or unenforceable, that part shall be deemed severed and shall not affect the validity and enforceability of the remaining provisions. The failure of Jobber to exercise or enforce any right or provision under these Program Terms shall not constitute a waiver of such right or provision. Any waiver of any right or provision by Jobber must be in writing and shall only apply to the specific instance identified in such writing.