Jotform Vulnerability Disclosure Program

Ensuring the privacy and security of our user data is a top priority for Jotform. Therefore, if you believe you have found a security vulnerability that affects any Jotform product, please report it in accordance with the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.

Read on for more information about our VDP program as well as the program’s requirements.

See Rules


Jotform does not provide any response target for this program.

Disclosure Policy

  • Notify us after you discover a real or potential security issue.
  • Send a clear textual description of the vulnerability along with steps to reproduce the vulnerability.
  • In order for the vulnerability report to be understandable, you can include attachments such as video, screenshots, or proof of concept code as necessary.
  • Don’t do more harm than good. You should not leave systems or users in a more vulnerable state than how you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems, or that may impact our users. While researching a vulnerability, if you are unsure whether you should continue, please immediately engage with the Jotform Security team.


Publicly accessible information systems, web property, or data owned, operated, or controlled by Jotform.

Non-Qualifying Vulnerabilities

  • Tab-nabbing.
  • Click-jacking/UI-redressing, or issues only exploitable via click-jacking.
  • Open redirect - unless an additional security impact can be demonstrated (such as stealing an authentication token, API keys etc.).
  • Denial-of-service attacks.
  • Self-XSS without a reasonable attack scenario.
  • Injecting HTML to the emails which will be sent through Jotform.
  • Fingerprinting on common/public services.
  • Disclosure of known public files or directories (e.g robots.txt, sitemap.xml).
  • Information disclosure without significant impact.
  • SSL/TLS version and configuration issues, weak ciphers or expired certificates.
  • Cross-site Request Forgery (CSRF) with minimal security implications (e.g Login/Logout CSRF).
  • SPF/DKIM/DMARC related issues.
  • Missing or misconfigured security headers (e.g CSP, HSTS) which do not directly lead to a vulnerability.
  • Missing Secure or HTTPOnly flags on cookies.
  • Vulnerable software version disclosure without proof of exploitability.
  • Reports from automated tools.
  • Comma Separated Values (CSV) injection.
  • EXIF metadata not being stripped from images.
  • Brute-force attacks.
  • Scenarios that require unlikely user interaction and/or outdated OS or software version.
  • Attacks requiring Man-in-the-middle (MITM) or physical access to a user's device.
  • Bugs that do not pose any security risk.

Our Priorities Include

  • Sensitive Data Exposure
  • Remote Code Execution (RCE)
  • Server-Side Request Forgery (SSRF)
  • Cross-site Scripting (XSS)
  • Cross-site Request Forgery (CSRF)
  • SQL Injection
  • XML External Entity Attacks (XXE)
  • Access Control Vulnerabilities (Insecure Direct Object Reference, Privilege Escalation, Broken Access, etc.)
  • Path/Directory Traversal Issues

Program Rules

  • Never use any findings to compromise the system, exfiltrate data or pivot to other systems. Submit your report as soon as you have discovered a vulnerability.
  • If you stumble upon sensitive information, such as personal information, credentials, etc., during the assessment; do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
  • Do not perform social engineering, phishing, and physical security attacks against Jotform offices, users, or employees.
  • It is strictly prohibited to disclose any vulnerabilities without Jotform’s explicit permission.
  • Be respectful when you are interacting with our team.

If you do not follow the rules, you may be banned from the Jotform Vulnerability Disclosure Program.

Jotform reserves the right to modify the rules for this program or deem any submissions invalid at any time. There is no monetary reward associated with the Vulnerability Disclosure Program. Jotform may discontinue the Vulnerability Disclosure Program without notice at any time.


Please note that there is no SLA associated with vulnerability disclosure program and responses to your reports is at Jotform’s sole discretion. Regardless of whether you hear back from us or not, this program does not allow disclosure by you to any other party. You may not publicly disclose information about vulnerabilities found in this program, nor share your findings with other security researchers.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Jotform and our users safe!