Program stats

526 vulnerabilities rewarded

3 days average response time

$290.09 average payout (last 12 weeks)

Latest hall of famers

Recently joined this program

1470 total

Since 2004, Indeed has given job seekers free access to millions of jobs from thousands of company websites and job boards. As the leading pay-for-performance recruitment advertising network, Indeed drives millions of targeted applicants to jobs in every field and is the most cost-effective source of candidates for thousands of companies. We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems. Please read through the following details to help you focus on the areas most important to us.

Targets

Generally speaking, in scope Indeed products include any of our mobile apps (Job search, employer apps, job spotter) on both iOS and Android, our core *.indeed.com web applications (see the focus areas below), or any Indeed branded 3rd party applications we use for less common cases.

For our mobile apps, a lack of obfuscation of code is not a vulnerability. Obscurity is not security; only a delaying tactic. For our purposes, we purposefully want to speed up the identification of real vulnerabilities. Many of our mobile app functions are just calls to the desktop site's HTTP endpoints, so running your test device through a web proxy will find most logic bugs.

All *.indeed.com, *.indeed.co.*, and indeed.com.* domains share the same code base (with very rare exceptions) and will therefore be rewarded only once. We are an international company with many different country TLDs running the same applications. For example: ar.indeed.com, www.indeed.com.sg, indeed.com.ph, indeed.co.in etc. The only differences you should see would be language and different expected application flows.

For 3rd party applications, such as Wordpress, they will only be eligible for reward if there is action Indeed can take to mitigate issues identified, and if it's an action we weren't already going to make. A good example of something we wouldn't payout for is the output of WPScan showing recently out of date plugins, since regular patching is part of our WP management. An example of something we would payout for is a POC showing unintended behavior that isn't in a planned patch.

We accept vulnerabilities in other applications owned by Indeed (usually subdomains of indeed.com, but not always the case). We do not typically accept vulnerabilities in third party applications that have Indeed branding (such as indeed.jobs) unless there is clear mitigation we can take without involving the 3rd party.

Indeed adheres to Bugcrowd's Vulnerability Rating Taxonomy for the prioritization of submissions but reserves the right to downgrade or upgrade ratings based on actual business impact. In the event of a downgrade, Indeed will provide a reasonable justification to the researcher.

Focus areas:

  • indeed.com
  • indeed.com/resumes
  • employers.indeed.com
  • ads.indeed.com/jobroll
  • secure.indeed.com
  • jobsmap.com
  • gotajob.indeed.com
  • resumatch.indeed.com
  • bugcrowd-testing.mobolt.com
  • opensource.indeedeng.io/api-documentation/ (information on our APIs)

Out of Scope:

  • Security bugs in third-party websites that integrate with Indeed Apply.
  • No attacks against Indeed’s existing user base (i.e. - job seekers, advertisers, and publishers). Instead, create your own job seeker, advertiser, and/or publisher account and perform research against those web applications.
  • Open redirects on t.indeed.com
  • The recent acquisition interviewed.com is out of scope.

Rewards

When we are determining payout, the following descriptions are not meant to be absolute categorizations. Payout amount depends on potential damage to the business and clients, ease of abuse, and how much we can actually fix. For those reasons, you will always want to provide:

  • An attack scenario: what is the most likely way an attacker actually abuses said vulnerability.
  • Clear reproduction steps: if we can't easily reproduce what you are describing, we may not consider the issue as serious.
  • Recommended fix: if you have any good ideas on ways to mitigate the risk without impacting normal users, your submission will have more value.
Priority Criticality Description Reward Amount
P1 CRITICAL Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, etc. Examples: Remote Code Execution, Vertical Authentication bypass, XXE, User authentication bypass for backend systems. Up to $5000
P2 HIGH Vulnerabilities that affect the security of the platform including the processes it supports. Examples: Lateral authentication bypass, Stored XSS for another user, blind XSS into backend systems. Up to $1800
P3 MEDIUM Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples: Reflective XSS, Direct object reference, URL Redirect, some CSRF depending on impact. Up to $600
P4 LOW Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples: Common flaws, Debug information, Mixed Content, most CSRF, Self-XSS, or vulnerabilities that require the victim to take multiple uncommon steps. Up to $100
P5 BIZ ACCEPTED RISK Non-exploitable weaknesses in functionality and “won’t fix” vulnerabilities. Examples: Best practices, mitigation, issues that are by design or deemed acceptable business risk to the customer such as use of Code Obfuscation, SSL Pinning, etc. $0

Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.

  • Automated vulnerability scanning tools are strictly prohibited.
  • No attacks against Indeed’s existing user base (i.e. - job seekers, advertisers, and publishers).
  • Create your own job seeker, advertiser, and/or publisher account and perform research against those web applications.
  • Indeed regularly purges accounts that perform suspicious activities on our web properties. All accounts belonging to whitehat researchers should end in “+bugbounty” to prevent deletion. (e.g. myemailaddress+bugbounty@gmail.com)

  • The following issues are not considered reward-able:
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password