JFrog Security Research

Cutting Edge Security Research to Protect the Modern Software Supply Chain

Our dedicated team of security engineers and researchers are committed to advancing software security through discovery, analysis, and exposure of new vulnerabilities and attack methods.

Software Vulnerabilities

Latest vulnerabilities discovered by the team

JFrog security researchers and engineers collaborate to create advanced vulnerability scanners, built on a deep understanding of attackers' techniques.

We use our automated scanners to help the community by continually identifying new vulnerabilities in publicly available software packages and disclosing them.

Malicious Packages

Latest malicious packages disclosed by the team

Given the widespread use of open-source software (OSS) packages in modern application development, public OSS repositories have become a popular target for supply chain attacks.

To help foster a secure environment for developers, the JFrog Security research team continuously monitors popular repositories with our automated tooling, and reports malicious packages discovered to repository maintainers and the wider community.

OSS Tools

Latest security OSS tools released by the team

When new software security threats arise, in many cases the time to respond is of the essence.
The JFrog Security research team supports the community with a range of OSS tools to identify such threats in your software quickly.

  • npm-domain-check
    Checks if a specific npm package may be susceptible to domain hijacking(directly or via dependencies)
    Published on 24 May. 2022
  • nimbuspwn-detector
    Checks if the current system is vulnerable to Nimbuspwn
    Published on 28 Apr. 2022
  • scan_spring
    Scans a root folder recursively for .jar and .war files which contain web endpoints that may be vulnerable to CVE-2022-22965
    Published on 31 Mar. 2022
  • CVE-2018-25032-detector
    Scans a path recursively and prints binaries that use deflateInit2() - which makes them potentially susceptible to CVE-2018-25032
    Published on 30 Mar. 2022
  • pwnkit-detector
    Checks if the current system is vulnerable to PwnKit
    Published on 27 Jan. 2022
The JFrog Detection Edge

The JFrog Detection Edge

The JFrog Security research team is part of the group behind JFrog Xray, enhancing its unique vulnerability database and utilizing patented technology to quickly detect unknown security issues in both open source and proprietary code.

The JFrog Detection Edge

Report Vulnerabilities Discovered in JFrog Products

The security and quality of our code is a top priority for JFrog. If you find a vulnerability or any other type of security issue in one of our products, please report it to us immediately. Security researchers may be able to participate in a bug bounty program and earn rewards for their findings.

Learn more about how to report a vulnerability >

Powered By jfrog.com