Since 2004, Indeed has given job seekers free access to millions of jobs from thousands of company websites and job boards. As the leading pay-for-performance recruitment advertising network, Indeed drives millions of targeted applicants to jobs in every field and is the most cost-effective source of candidates for thousands of companies. We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems.

Targets

All .indeed.com, *.indeed.co., and indeed.com.* domains share the same codebase and will therefore be rewarded only once. For example: ar.indeed.com, www.indeed.com.sg, indeed.com.ph, indeed.co.in etc.

Focus areas:

  • indeed.com
  • indeed.com/resumes
  • employers.indeed.com
  • ads.indeed.com/jobroll
  • secure.indeed.com
  • jobsmap.com
  • gotajob.indeed.com
  • resumatch.indeed.com
  • bugcrowd-testing.mobolt.com

Out of Scope:

  • Security bugs in third-party websites that integrate with Indeed Apply
  • No attacks against Indeed’s existing user base (i.e. - job seekers, advertisers, and publishers). Instead, create your own job seeker, advertiser, and/or publisher account and perform research against those web applications.

Rewards

Priority Criticality Description Reward Amount
P1 CRITICAL Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, etc. Examples: Remote Code Execution, Vertical Authentication bypass, XXE, User authentication bypass. Up to $5000
P2 HIGH Vulnerabilities that affect the security of the platform including the processes it supports. Examples: Lateral authentication bypass, Stored XSS for another user, some CSRF depending on impact. Up to $1800
P3 MEDIUM Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples: Reflective XSS, Direct object reference, URL Redirect, some CSRF depending on impact. Up to $600
P4 LOW Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples: Common flaws, Debug information, Mixed Content. Up to $100
P5 BIZ ACCEPTED RISK Non-exploitable weaknesses in functionality and “won’t fix” vulnerabilities. Examples: Best practices, mitigation, issues that are by design or deemed acceptable business risk to the customer such as use of Code Obfuscation, SSL Pinning, etc. $0

Rules

This bounty follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.

  • Automated vulnerability scanning tools are strictly prohibited.
  • No attacks against Indeed’s existing user base (i.e. - job seekers, advertisers, and publishers).
  • Create your own job seeker, advertiser, and/or publisher account and perform research against those web applications.
  • Indeed regularly purges accounts that perform suspicious activities on our web properties. All accounts belonging to whitehat researchers should end in “+bugbounty” to prevent deletion. (e.g. myemailaddress+bugbounty@gmail.com)

  • The following issues are not considered reward-able:
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password