For this program, we're inviting researchers to test SEEK's web applications and services - with a focus of identifying security weaknesses that might lead to the compromise of our customer data (mainly, job seekers profiles and resumes).
Thank you for participating!
A Few Important Requirements for SEEK:
- Denial of Service, Rate Limiting, and other automated attacks are not allowed. Please do NOT use automated tooling when conducting testing on SEEK assets.
- All testing must be conducted using your @bugcrowdninja.com email ID only. If you fail to use your @Bugcrowdninja.com email ID, you run the risk of getting blocked from accessing SEEK applications.
- Customer instances are not to be accessed in any way (i.e. no customer data is accessed, customer credentials are not to be used or "verified")
- If you believe you have found sensitive customer data (e.g., login credentials, API keys etc) or a way to access customer data (i.e. through a vulnerability) report it, but do not attempt to successfully validate if/that it works.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that a vulnerability priority will be modified due to its likelihood and impact. In any instance where an issue is downgraded, SEEK will provide a reasonable justification to the researcher.
To maximize your reward and payout time frame, please make sure to include the following in your report:
- An attack scenario: What is the most likely way an attacker could abuse this vulnerability?
- Clear reproduction steps: If we can't easily replicate what you are describing, we may not consider the issue as serious.
- Recommended fix: If you have any good ideas on ways to mitigate the risk without impacting normal users, your submission will have more value.
For P1/P2 issues, we aim to complete our triage within one business week of the issue being reported. For other issues, it may take us up to three business weeks to triage the issue.