Indeed

  • $50 – $10,000 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

1310 vulnerabilities rewarded

Validation within 1 day
75% of submissions are accepted or rejected within 1 day

$315.21 average payout (last 3 months)

Latest hall of famers

Recently joined this program

2686 total

Since 2004, Indeed has given job seekers free access to millions of jobs from thousands of company websites and job boards. As the leading pay-for-performance recruitment advertising network, Indeed drives millions of targeted applicants to jobs in every field and is the most cost-effective source of candidates for thousands of companies. We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems. Please read through the following details to help you focus on the areas most important to us.


A Note on Similar Submissions:
We ask that researchers who are able to identify the same or similar types of issues in multiple locations across one of our applications combine those findings into a single submission that includes a description as well as the various locations where vulnerabilities have been identified. This greatly assists us in our triage process and allows us to process your submissions faster. The combined submissions will be evaluated holistically and will receive rewards corresponding to the collective findings. For example, if an application is discovered to have broken access control on a number of API endpoints, please submit a single submission that includes a list of those API endpoints. If separate submissions are made, they may be inadvertently closed as duplicates.


Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.

  • Automated vulnerability scanning tools are strictly prohibited.
  • No attacks against Indeed’s existing user base (i.e. - job seekers, advertisers, and publishers).
  • Create your own job seeker, advertiser, and/or publisher account and perform research against those web applications.
  • Indeed regularly purges accounts that perform suspicious activities on our web properties. All accounts belonging to whitehat researchers should end in “+bugbounty” to prevent deletion. (e.g. myemailaddress+bugbounty@gmail.com)

  • The following issues are not considered reward-able:
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password