Since 2004, Indeed has given job seekers free access to millions of jobs from thousands of company websites and job boards. As the leading pay-for-performance recruitment advertising network, Indeed drives millions of targeted applicants to jobs in every field and is the most cost-effective source of candidates for thousands of companies. We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems.
All .indeed.com, *.indeed.co., and indeed.com.* domains share the same codebase and will therefore be rewarded only once. For example: ar.indeed.com, www.indeed.com.sg, indeed.com.ph, indeed.co.in etc.
Out of Scope:
- Security bugs in third-party websites that integrate with Indeed Apply
- No attacks against Indeed’s existing user base (i.e. - job seekers, advertisers, and publishers). Instead, create your own job seeker, advertiser, and/or publisher account and perform research against those web applications.
|P1||CRITICAL||Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, etc. Examples: Remote Code Execution, Vertical Authentication bypass, XXE, User authentication bypass.||Up to $5000|
|P2||HIGH||Vulnerabilities that affect the security of the platform including the processes it supports. Examples: Lateral authentication bypass, Stored XSS for another user, some CSRF depending on impact.||Up to $1800|
|P3||MEDIUM||Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples: Reflective XSS, Direct object reference, URL Redirect, some CSRF depending on impact.||Up to $600|
|P4||LOW||Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples: Common flaws, Debug information, Mixed Content.||Up to $100|
|P5||BIZ ACCEPTED RISK||Non-exploitable weaknesses in functionality and “won’t fix” vulnerabilities. Examples: Best practices, mitigation, issues that are by design or deemed acceptable business risk to the customer such as use of Code Obfuscation, SSL Pinning, etc.||$0|
This bounty follows Bugcrowd’s standard disclosure terms.
This bounty requires explicit permission to disclose the results of a submission.
The following issues are not considered reward-able: