Skip to content

Bug Bounty Program

We welcome responsible security research. Report vulnerabilities and earn rewards up to $2,000 for helping keep JieGou secure.

Scope

In-scope systems

console.jiegou.ai — Main application
mcp.jiegou.ai — MCP server
jiegou.ai — Marketing website
JieGou Chrome Extension — Browser extension (Chrome Web Store)

Out of scope

  • Third-party services (Firebase, AWS, Stripe, LLM providers)
  • Social engineering attacks against JieGou employees
  • Denial of service (DoS/DDoS) attacks
  • Physical security attacks
  • Automated scanning without prior approval
  • Any testing that could degrade service availability

Reward tiers

Critical $500 – $2,000
  • Remote code execution (RCE)
  • Authentication bypass
  • SQL/NoSQL injection leading to data access
  • Privilege escalation (Viewer to Admin/Owner)
  • Unauthorized access to customer data across accounts
High $200 – $500
  • Cross-site scripting (XSS) with demonstrated impact
  • Cross-site request forgery (CSRF) on sensitive actions
  • Server-side request forgery (SSRF)
  • Insecure direct object references (IDOR) exposing sensitive data
  • API key or credential exposure in responses
Medium $50 – $200
  • Information disclosure (stack traces, debug info, internal IPs)
  • Missing security headers with demonstrated exploit path
  • Session fixation
  • Subdomain takeover
Low Acknowledgment
  • Missing best-practice headers without exploit path
  • Clickjacking on non-sensitive pages
  • Verbose error messages without sensitive data
  • SSL/TLS configuration improvements

Rules of engagement

  1. 1 Do not access, modify, or delete customer data. If you accidentally access customer data, stop immediately and report it.
  2. 2 Do not perform actions that could degrade service availability (no load testing, DoS, resource exhaustion).
  3. 3 Use dedicated test accounts only. Create your own account for testing; do not test against other users' accounts.
  4. 4 Report vulnerabilities promptly and allow reasonable time for remediation before public disclosure.
  5. 5 Do not use automated scanners against production systems without prior written approval.
  6. 6 Comply with all applicable laws.

How to report

Send reports to

security@jiegou.ai

Please include

  • Description of the vulnerability
  • Step-by-step reproduction instructions
  • Proof of concept (screenshots, videos, or code)
  • Impact assessment
  • Suggested remediation (optional)
  • Your contact information for follow-up

Response timeline

1
Acknowledgment
48 hours
2
Triage and severity assessment
5 business days
3
Remediation (Critical)
7 days
4
Remediation (High)
30 days
5
Remediation (Medium/Low)
90 days
6
Reward payment
30 days after fix verified

Safe Harbor

JieGou will not pursue legal action against researchers who:

  • Follow this policy and the rules of engagement
  • Report vulnerabilities in good faith
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate them
  • Do not access, modify, or exfiltrate customer data

This program does not constitute an employment or contractor relationship. Rewards are discretionary and determined by JieGou based on severity, impact, and quality of the report. JieGou reserves the right to modify or terminate this program at any time.

security@jiegou.ai Back to Security