At Jellyfish, the security of our customers and their data is our highest priority. We greatly appreciate the work of security researchers and the broader security community in helping make the internet a safer place.
If you believe you have discovered a security vulnerability in any Jellyfish product, service or website, we encourage you to report it to us through our responsible disclosure process. We are committed to working with you to verify and address the issue quickly and effectively.
Please review these terms before you test and/or report a vulnerability. Jellyfish pledges not to initiate legal action against researchers for penetrating or attempting to penetrate our systems as long as they adhere to this policy.
Rules of Engagement
To ensure a great experience with Jellyfish Security, we ask that researchers follow these simple rules of engagement to limit the potential that company and/or customer data may be at risk:
- Do not exploit identified vulnerabilities in a manner that risks the confidentiality, integrity, and/or availability of any resources not explicitly owned by you during testing activities.
- Do not use your findings to phish, spam, social engineer, or otherwise defraud any customers or Jellyfish employees during the course of testing to gain more access.
- Do not try to physically access Jellyfish properties, attempt to social engineer employees, or otherwise try to discover risk beyond digital means against Jellyfish.
- Do not disrupt or degrade our services, for example, perform denial of services (DoS) or distributed denial of service (DDoS) attacks against any Jellyfish resource to prove an impact for a suspected security issue.
- Do not access, or attempt to access, data or information that does not belong to you
- Do not destroy or corrupt, or attempt to destroy or corrupt, data or information that does not belong to you
If you are ever unclear on how far your testing should go, please reach out to the Jellyfish Security Team to coordinate testing with us. We can often validate your suspicions in simple ways that can reduce the chance of harm occurring to our services & customers.
How to Report a Vulnerability
Please send reports to: security@jellyfish.co. This goes directly to our Incident Response staff and will ensure a smooth communication process.
Please Include the Following in Your Report
For an online service security issue:
- The date & time when you initially discovered the issue
- The URL(s) where you found the security issue to be applicable
- All relevant headers & parameters used to demonstrate the risk against the service
- Your operating system and browser, with version number, used for all testing
For a packaged software security issue:
- The name of the Jellyfish software you were testing & version number
- The operating system, platform, or other relevant environment details
- As relevant, the configuration file for the software with any secrets redacted
For all security issues, please also include:
- A description of the type of issue (e.g. Remote Code Execution, Cross-Site Scripting)
- Your perspective of the impact, criticality of the finding, and any abuse cases
- Sample code (i.e. proof-of-concept) and/or tool used to generate an exploit payload
- The best contact information for the finder of the issue (e.g. email, phone)
- Any pre-planned disclosure timeline if you are planning to publish the findings
- Any information you may have accidentally accessed during testing without permission
Jellyfish Security Team Commitment to You
- Respond in a timely manner, acknowledging receipt of your vulnerability report
- Regular status updates
- Transparent and collaborative triage and remediation
- Jellyfish does not operate a bug bounty program at this time, but may choose to reward reporters of issues in some cases, at our discretion
- We appreciate the opportunity to coordinate disclosure with you for any planned blog posts, conference presentations, or other situations in which you may discuss your findings.
Legal Notice
This policy is designed to be compatible with common responsible disclosure practices and applicable laws. We reserve the right to modify these terms at any time.
Thank you for helping keep Jellyfish and our users secure!
- The Jellyfish Security Team
Last Updated: December 2025
