Indeed

  • $50 – $10,000 per vulnerability
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 1887
  • Validation within 8 days 75% of submissions are accepted or rejected within 8 days
  • Average payout $1,154.41 within the last 3 months

Latest hall of famers

Recently joined this program

Our Mission:

At Indeed, our mission is to help people get jobs.

Since 2004, Indeed has given job seekers free access to millions of jobs from thousands of company websites and job boards. As the leading pay-for-performance recruitment advertising network, Indeed drives millions of targeted applicants to jobs in every field and is the most cost-effective source of candidates for thousands of companies.

We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems. Please read through the following details to help you focus on the areas most important to us.

Indeed may award an additional reward bonus for exceptional reports. This will be done at Indeed’s discretion. Good luck, and happy hunting!


Testing Requirement

Create your Job Seeker and Employer accounts with a +bugbounty to avoid moderation locking your account for suspicious activity. Example: researcher+bugbounty@bugcrowdninja.com

Include bugbounty in the company title you create and do not attempt to misrepresent yourself as a real company.

Where possible, add text bugbounty to requests you are sending to our applications, so our team can identify the traffic being generated as part of your testing.


Program Ground Rules

  • Respect our users' privacy.
  • Leave the Site as you found it.
  • Don't violate our Terms of Service or the law.
  • Don't impact our services.
  • No interacting with others.
  • Cooperate with Indeed.
  • Participation Eligibility.
  • Follow Bugcrowd's rules.

Respect our users’ privacy.

If during your research you happen to encounter any information about another user or other individual, immediately stop and report this to Indeed. To participate in this program, you only need to explain the technical vulnerability you discovered.

You must avoid any viewing, copying, altering, destroying, or otherwise interacting with any data, in particular data of other individuals, to which you may gain access through this research. If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating the vulnerability; cease testing, and submit a report immediately if you encounter any user data during testing. This may include Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.

Leave the site as you found it.

Do not copy, save, store, transfer, disclose, or otherwise retain any information you find on our site during your research, except to report your research to Indeed.

Don't violate our Terms of Service or the law.

All access to our Site must otherwise be in accordance with our Terms of Service and all applicable laws.
In the event you access PII or other sensitive data, note that you are required to follow all laws and regulations applicable to the access and processing of such personally identifiable information and/or data, such as the California Consumer Privacy Act of 2018, the California Privacy Rights Act of 2020, New York Privacy Act 2021, once they become effective, and the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679), including the European Commission’s Standard Contractual Clauses regarding the transfer of personal data to processors.

Don't impact our services.

You must avoid causing any interruption or degradation of our services. Researchers who are found to be using aggressive automated tools will be blocked and removed from the program.

When testing purchasing services on Indeed, limit any purchase amounts to under $10K and no larger than needed.

No interacting with others.

Any form of interaction with others on or through our Sites, including but not limited to other Indeed users, is strictly prohibited. On Indeed,close any active test jobs immediately after testing. On Indeed Flex, do not publish any jobs. Do not make any attempts to phish users or employees.

Cooperate with Indeed.

You will be expected to cooperate with us if we request your assistance in connection with your research.

Participation Eligibility.

Current employees or contractors of Indeed and Indeed Flex are not eligible to participate in the program. Former employees and contractors are eligible to participate in the program only, if:

  • they have left Indeed and Indeed Flex more than 1 year prior to submission, and
  • they are not making use of, or referring to, any non-public Indeed/Indeed Flex information obtained when they were an employee or contractor.

Follow Bugcrowd’s rules.

This program follows Bugcrowd’s standard disclosure terms.


Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.