Since 2004, Indeed has given job seekers free access to millions of jobs from thousands of company websites and job boards. As the leading pay-for-performance recruitment advertising network, Indeed drives millions of targeted applicants to jobs in every field and is the most cost-effective source of candidates for thousands of companies. We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems.

Note: All valid and non-duplicate MOBILE vulnerabilities submitted July 1, 2016 through September 30th, 2016 qualify for the Bugcrowd Mobile Raffle. See the full details here: http://bgcd.co/2bJOAys

Targets

All .indeed.com, *.indeed.co., and indeed.com.* domains share the same codebase and will therefore be rewarded only once. For example: ar.indeed.com, www.indeed.com.sg, indeed.com.ph, indeed.co.in etc.

We accept vulnerabilities in other applications owned by Indeed (usually subdomains of indeed.com, but not always the case). We do not typically accept vulnerabilities in third party applications that have Indeed branding (such as indeed.jobs).

Focus areas:

  • indeed.com
  • indeed.com/resumes
  • employers.indeed.com
  • ads.indeed.com/jobroll
  • secure.indeed.com
  • jobsmap.com
  • gotajob.indeed.com
  • resumatch.indeed.com
  • bugcrowd-testing.mobolt.com

Out of Scope:

  • Security bugs in third-party websites that integrate with Indeed Apply
  • No attacks against Indeed’s existing user base (i.e. - job seekers, advertisers, and publishers). Instead, create your own job seeker, advertiser, and/or publisher account and perform research against those web applications.

Rewards

Priority Criticality Description Reward Amount
P1 CRITICAL Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, etc. Examples: Remote Code Execution, Vertical Authentication bypass, XXE, User authentication bypass. Up to $5000
P2 HIGH Vulnerabilities that affect the security of the platform including the processes it supports. Examples: Lateral authentication bypass, Stored XSS for another user, some CSRF depending on impact. Up to $1800
P3 MEDIUM Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples: Reflective XSS, Direct object reference, URL Redirect, some CSRF depending on impact. Up to $600
P4 LOW Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples: Common flaws, Debug information, Mixed Content, Self-XSS. Up to $100
P5 BIZ ACCEPTED RISK Non-exploitable weaknesses in functionality and “won’t fix” vulnerabilities. Examples: Best practices, mitigation, issues that are by design or deemed acceptable business risk to the customer such as use of Code Obfuscation, SSL Pinning, etc. $0

Rules

This bounty follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.

  • Automated vulnerability scanning tools are strictly prohibited.
  • No attacks against Indeed’s existing user base (i.e. - job seekers, advertisers, and publishers).
  • Create your own job seeker, advertiser, and/or publisher account and perform research against those web applications.
  • Indeed regularly purges accounts that perform suspicious activities on our web properties. All accounts belonging to whitehat researchers should end in “+bugbounty” to prevent deletion. (e.g. myemailaddress+bugbounty@gmail.com)

  • The following issues are not considered reward-able:
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password