SEEK

  • $50 – $10,000 per vulnerability
  • Managed by Bugcrowd

Program stats

128 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$1,177.91 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

For this program, we're inviting researchers to test SEEK's web applications and services - with a focus of identifying security weaknesses that might lead to the compromise of our customer data (mainly, job seekers profiles and resumes).

Thank you for participating!

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that a vulnerability priority will be modified due to its likelihood and impact. In any instance where an issue is downgraded, SEEK will provide a reasonable justification to the researcher.

To maximize your reward and payout time frame, please make sure to include the following in your report:

  • An attack scenario: What is the most likely way an attacker could abuse this vulnerability?
  • Clear reproduction steps: If we can't easily replicate what you are describing, we may not consider the issue as serious.
  • Recommended fix: If you have any good ideas on ways to mitigate the risk without impacting normal users, your submission will have more value.

Triage SLA

For P1/P2 issues, we aim to complete our triage within one business week of the issue being reported. For other issues, it may take us up to three business weeks to triage the issue.

Reward Range

Last updated
Technical severity Reward range
p1 Critical $5,000 - $10,000
p2 Severe $700 - $5,000
p3 Moderate $200 - $700
p4 Low $50 - $100
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type
*.seek.com.au Website
https://seekcdn.com Other
Seek iOS and Android mobile applications Other
*.skinfra.xyz Website
*.myseek.xyz Website
*.outfra.xyz Website
*.sol-data.com API
*.jobapi.net API
*.jobapi.io API

Any domain/property of SEEK not listed in the targets section is out of scope. This includes any/all subdomains not listed above.


Target Info:

Domains outside of *.seek.com.au typically have less impact for SEEK, and thus may impact the reward amount.

www.seek.com.au - Gives jobseekers a way to search and apply for jobs posted by advertisers (companies, recruiters, etc who post jobs). Jobseekers are able to upload a CV (resume), add profile information through the jobseeker website.

talent.seek.com.au - Designed for advertisers to post jobs onto www.seek.com.au and manage jobseekers who apply for the job.

*.cloud.seek.com.au - Customer facing API's.

*.skinfra.xyz, *.myseek.xyz *.outfra.xyz - Are used to host SEEK's corporate services and API's that are not designed to be accessed or consumed directly by customers but instead by SEEK employees and services.

iOS and Android Mobile Applications

  • The Android application can be found here.
  • The iOS application can be found here.

*.sol-data.com, *.jobapi.net, *.jobapi.io - Used for capturing search metrics, search API's including jobs, locations, salaries, etc.

Some of these domains may not return any content by themselves, but are used within the context of typical application usage - e.g. authentication flows. Some of these domains do host sites / API's but most of them should be for SEEK employees only.

Most of SEEK's products are hosted on Amazon Web Services (AWS), are built using .NET, Nodejs, Golang, SQL Server and non relational databases. Both the iOS and Android applications are built using native frameworks, libraries and languages.

Access

Please sign up for accounts on www.seek.com.au and talent.seek.com.au using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.


Rules for posting a job

When posting jobs on talent.seek.com.au only post jobs using the following details:

Job title (must contain): "Bugcrowd - Do Not Apply”
Job location: Russia & Eastern Europe
Job ad classification: Farming, Animals & Conservation -> Farm Management

DO NOT post Premium Ads, upgrade to Premium Ads or apply for Guaranteed Hire.

Focus areas

We are most interested in critical vulnerabilities that allow access to customer PII data (user's profile's and CV's) or SEEK corporate data and access to SEEK's internal network.

Rules & Out of Scope

  • DO NOT interact or affect existing customers during testing. This includes things like posting a job not using the instructions above, which could result in real customers applying for your test job ads!!
  • Automated vulnerability scanning tools are strictly prohibited.
  • SEEK regularly blocks attacks from users performing suspicious activity. All email addresses belonging to researchers should be your @bugcrowdninja.com.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.