For this program, we're inviting researchers to test SEEK's web applications and services - with a focus of identifying security weaknesses that might lead to the compromise of our customer data (mainly, job seekers profiles and resumes).
Thank you for participating!
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that a vulnerability priority will be modified due to its likelihood and impact. In any instance where an issue is downgraded, SEEK will provide a reasonable justification to the researcher.
To maximize your reward and payout time frame, please make sure to include the following in your report:
- An attack scenario: What is the most likely way an attacker could abuse this vulnerability?
- Clear reproduction steps: If we can't easily replicate what you are describing, we may not consider the issue as serious.
- Recommended fix: If you have any good ideas on ways to mitigate the risk without impacting normal users, your submission will have more value.
For P1/P2 issues, we aim to complete our triage within one business week of the issue being reported. For other issues, it may take us up to three business weeks to triage the issue.
Reward RangeLast updated
|Technical severity||Reward range|
|p1 Critical||$5,000 - $10,000|
|p2 Severe||$700 - $5,000|
|p3 Moderate||$200 - $700|
|p4 Low||$50 - $100|
Any domain/property of SEEK not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
Domains outside of
*.seek.com.au typically have less impact for SEEK, and thus may impact the reward amount.
www.seek.com.au - Gives jobseekers a way to search and apply for jobs posted by advertisers (companies, recruiters, etc who post jobs). Jobseekers are able to upload a CV (resume), add profile information through the jobseeker website.
talent.seek.com.au - Designed for advertisers to post jobs onto
www.seek.com.au and manage jobseekers who apply for the job.
*.cloud.seek.com.au - Customer facing API's.
*.outfra.xyz - Are used to host SEEK's corporate services and API's that are not designed to be accessed or consumed directly by customers but instead by SEEK employees and services.
iOS and Android Mobile Applications
*.jobapi.io - Used for capturing search metrics, search API's including jobs, locations, salaries, etc.
Some of these domains may not return any content by themselves, but are used within the context of typical application usage - e.g. authentication flows. Some of these domains do host sites / API's but most of them should be for SEEK employees only.
Most of SEEK's products are hosted on Amazon Web Services (AWS), are built using .NET, Nodejs, Golang, SQL Server and non relational databases. Both the iOS and Android applications are built using native frameworks, libraries and languages.
Please sign up for accounts on
talent.seek.com.au using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.
Rules for posting a job
When posting jobs on
talent.seek.com.au only post jobs using the following details:
Job title (must contain): "Bugcrowd - Do Not Apply”
Job location: Russia & Eastern Europe
Job ad classification: Farming, Animals & Conservation -> Farm Management
DO NOT post Premium Ads, upgrade to Premium Ads or apply for Guaranteed Hire.
We are most interested in critical vulnerabilities that allow access to customer PII data (user's profile's and CV's) or SEEK corporate data and access to SEEK's internal network.
Rules & Out of Scope
- DO NOT interact or affect existing customers during testing. This includes things like posting a job not using the instructions above, which could result in real customers applying for your test job ads!!
- Automated vulnerability scanning tools are strictly prohibited.
- SEEK regularly blocks attacks from users performing suspicious activity. All email addresses belonging to researchers should be your @bugcrowdninja.com.