Since 2004, Indeed has given job seekers free access to millions of jobs from thousands of company websites and job boards. As the leading pay-for-performance recruitment advertising network, Indeed drives millions of targeted applicants to jobs in every field and is the most cost-effective source of candidates for thousands of companies. We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems.
Targets
- *.indeed.com/*
- https://play.google.com/store/apps/details?id=com.indeed.android.jobsearch
- https://itunes.apple.com/us/app/job-search/id309735670?mt=8
- https://bugcrowd-testing.mobolt.com
All .indeed.com, *.indeed.co., and indeed.com.* domains share the same codebase and will therefore be rewarded only once. For example: ar.indeed.com, www.indeed.com.sg, indeed.com.ph, indeed.co.in etc.
Focus areas:
- indeed.com
- indeed.com/resumes
- employers.indeed.com
- ads.indeed.com/jobroll
- secure.indeed.com
- jobsmap.com
- gotajob.indeed.com
- resumatch.indeed.com
- bugcrowd-testing.mobolt.com
Out of Scope:
- Security bugs in third-party websites that integrate with Indeed Apply
- No attacks against Indeed’s existing user base (i.e. - job seekers, advertisers, and publishers). Instead, create your own job seeker, advertiser, and/or publisher account and perform research against those web applications.
Rules
This bounty follows Bugcrowd’s standard disclosure terms.
This bounty requires explicit permission to disclose the results of a submission.
The following issues are not considered reward-able:
