Since 2004, Indeed has given job seekers free access to millions of jobs from thousands of company websites and job boards. As the leading pay-for-performance recruitment advertising network, Indeed drives millions of targeted applicants to jobs in every field and is the most cost-effective source of candidates for thousands of companies. We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems. Please read through the following details to help you focus on the areas most important to us.

---

Testing Requirements

1. Research should be performed only through the job seeker, advertiser, and/or publisher account that you create on Indeed. Indeed regularly purges accounts that perform suspicious activities on our web properties; to avoid this, please use accounts with “+bugbounty” in the username for example: username+bugbounty@bugcrowdninja.com.
2. Please append your user agent header value with "Bugcrowd.replace_with_your_bugcrowd_username". When testing with Burpsuite you can use match and replace for your user agent string in Proxy options, appending the requested value to user agent string of your choice.

---

Program Ground Rules

• Respect our users' privacy.
• Leave the Site as you found it.
• Don't violate our Terms of Service or the law.
• Don't access the data of others.
• Don't impact our services.
• No interacting with others.
• Cooperate with Indeed.
• Follow Bugcrowd's rules.

Respect our users’ privacy.

If during your research you happen to encounter any information about another user or other individual, immediately stop and report this to Indeed. To participate in this program, you only need to explain the technical vulnerability you discovered.

Leave the Site as you found it.

Do not copy, save, store, transfer, disclose, or otherwise retain any information you find on our Site during your research, except to report your research to Indeed.

Don't violate our Terms of Service or the law.

All access to our Site must otherwise be in accordance with our Terms of Service and all applicable laws.

In the event you access PII or other sensitive data, note that you are required to follow all laws and regulations applicable to the access and processing of such personally identifiable information and/or data, such as the California Consumer Privacy Act of 2018, the California Privacy Rights Act of 2020 once it becomes effective, and the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679), including the European Commission’s Standard Contractual Clauses regarding the transfer of personal data to processors.

Don't access the data of others.

You must avoid any viewing, copying, altering, destroying, or otherwise interacting with any data, in particular data of other individuals, to which you may gain access through this research. If you happen to interact in any way with another individual's data, you must report this to us immediately.

If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating the vulnerability, cease testing, and submit a report immediately if you encounter any user data during testing. This may include Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.

Don't impact our services.

You must avoid causing any interruption or degradation of our services. Researchers who are found to be using aggressive automated tools will be blocked and removed from the program.

No interacting with others.

Any form of interaction with others on or through our Site, including but not limited to other Indeed users, is strictly prohibited.

Cooperate with Indeed.

You will be expected to cooperate with us if we request your assistance in connection with your research.

Follow Bugcrowd’s rules.

This program follows Bugcrowd’s standard disclosure terms.

---