Since 2004, Indeed has given job seekers free access to millions of jobs from thousands of company websites and job boards. As the leading pay-for-performance recruitment advertising network, Indeed drives millions of targeted applicants to jobs in every field and is the most cost-effective source of candidates for thousands of companies. We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems.

Targets

All .indeed.com, *.indeed.co., and indeed.com.* domains share the same codebase and will therefore be rewarded only once. For example: ar.indeed.com, www.indeed.com.sg, indeed.com.ph, indeed.co.in etc.

Focus areas:

  • indeed.com
  • indeed.com/resumes
  • employers.indeed.com
  • ads.indeed.com/jobroll
  • secure.indeed.com
  • jobsmap.com
  • gotajob.indeed.com
  • resumatch.indeed.com
  • bugcrowd-testing.mobolt.com

Out of Scope:

  • Security bugs in third-party websites that integrate with Indeed Apply
  • No attacks against Indeed’s existing user base (i.e. - job seekers, advertisers, and publishers). Instead, create your own job seeker, advertiser, and/or publisher account and perform research against those web applications.

Rules

This bounty follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.

  • Automated vulnerability scanning tools are strictly prohibited.
  • No attacks against Indeed’s existing user base (i.e. - job seekers, advertisers, and publishers).
  • Create your own job seeker, advertiser, and/or publisher account and perform research against those web applications.
  • Indeed regularly purges accounts that perform suspicious activities on our web properties. All accounts belonging to whitehat researchers should end in “+bugbounty” to prevent deletion. (e.g. myemailaddress+bugbounty@gmail.com)

  • The following issues are not considered reward-able:
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password