For this program, we're inviting researchers to test SEEK's web applications and services - with a focus of identifying security weaknesses that might lead to the compromise of our customer data (mainly, job seekers profiles and resumes).
Thank you for participating!
A Few Important Requirements for SEEK:
- Denial of Service, Rate Limiting, and other automated attacks are not allowed. Please do NOT use automated tooling when conducting testing on SEEK assets.
- All testing must be conducted using your @bugcrowdninja.com email ID only. If you fail to use your @Bugcrowdninja.com email ID, you run the risk of getting blocked from accessing SEEK applications.
- Customer instances are not to be accessed in any way (i.e. no customer data is accessed, customer credentials are not to be used or "verified")
- If you believe you have found sensitive customer data (e.g., login credentials, API keys etc) or a way to access customer data (i.e. through a vulnerability) report it, but do not attempt to successfully validate if/that it works.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that a vulnerability priority will be modified due to its likelihood and impact. In any instance where an issue is downgraded, SEEK will provide a reasonable justification to the researcher.
To maximize your reward and payout time frame, please make sure to include the following in your report:
- An attack scenario: What is the most likely way an attacker could abuse this vulnerability?
- Clear reproduction steps: If we can't easily replicate what you are describing, we may not consider the issue as serious.
- Recommended fix: If you have any good ideas on ways to mitigate the risk without impacting normal users, your submission will have more value.
For P1/P2 issues, we aim to complete our triage within one business week of the issue being reported. For other issues, it may take us up to three business weeks to triage the issue.
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email firstname.lastname@example.org. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.