SEEK

For this program, we're inviting researchers to test SEEK's web applications and services - with a focus of identifying security weaknesses that might lead to the compromise of our customer data (mainly, job seekers profiles and resumes).

Thank you for participating!

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that a vulnerability priority will be modified due to its likelihood and impact. In any instance where an issue is downgraded, SEEK will provide a reasonable justification to the researcher.

To maximize your reward and payout time frame, please make sure to include the following in your report:

• An attack scenario: What is the most likely way an attacker could abuse this vulnerability?
• Clear reproduction steps: If we can't easily replicate what you are describing, we may not consider the issue as serious.
• Recommended fix: If you have any good ideas on ways to mitigate the risk without impacting normal users, your submission will have more value.

Triage SLA

For P1/P2 issues, we aim to complete our triage within one business week of the issue being reported. For other issues, it may take us up to three business weeks to triage the issue.

Any domain/property of SEEK not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Please do not submit contact forms, create support tickets, send emails, etc. that will generate work for a human outside of the security team.

SEEK uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems.

---

Target Info:

Domains outside of *.seek.com.au typically have less impact for SEEK, and thus may impact the reward amount.

www.seek.com.au - Gives jobseekers a way to search and apply for jobs posted by advertisers (companies, recruiters, etc who post jobs). Jobseekers are able to upload a CV (resume), add profile information through the jobseeker website.

talent.seek.com.au - Designed for advertisers to post jobs onto www.seek.com.au and manage jobseekers who apply for the job.

*.certsy.com & *.certsynonprod.com helps job seekers to verify their claimed credentials
(eg right to work, valid drivers licence, etc) by providing evidence (eg passport, drivers
licence, etc) that we can check with relevant authorities or other verification methods.

*.cloud.seek.com.au - Customer facing API's.

*.skinfra.xyz, *.myseek.xyz *.outfra.xyz - Are used to host SEEK's corporate services and API's that are not designed to be accessed or consumed directly by customers but instead by SEEK employees and services.

iOS and Android Mobile Applications

• The Android application can be found here.
• The iOS application can be found here.

*.sol-data.com, *.jobapi.net, *.jobapi.io - Used for capturing search metrics, search API's including jobs, locations, salaries, etc.

Some of these domains may not return any content by themselves, but are used within the context of typical application usage - e.g. authentication flows. Some of these domains do host sites / API's but most of them should be for SEEK employees only.

Most of SEEK's products are hosted on Amazon Web Services (AWS), are built using .NET, Nodejs, Golang, SQL Server and non relational databases. Both the iOS and Android applications are built using native frameworks, libraries and languages.

Access

Please sign up for accounts on www.seek.com.au and talent.seek.com.au and all Certsy assets using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.

You can create Certsy accounts here

---

Rules for posting a job

When posting jobs on talent.seek.com.au only post jobs using the following details:

Job title (must contain): "Bugcrowd - Do Not Apply”
Job location: Russia & Eastern Europe
Job ad classification: Farming, Animals & Conservation -> Farm Management

DO NOT post Premium Ads, upgrade to Premium Ads or apply for Guaranteed Hire.

Rules and Advice for Certsy

• Use your @bugcrowdninja email address to set up a Certsy account and a SEEK account, because you’ll need both accounts to test our sharing functionality.
• For police checks, we suggest you use certsynonprod.com (our staging environment) so you can use Stripe test cards to get past the payment gateway.
• If you prefer, you can use fictional document information or images to test out the Certsy verification flow. Our admin system should catch this and reject the check.
• After submitting a verification request, you will be prompted to share the result with SEEK. This is an oAuth flow connecting your SEEK and Certsy accounts for data sharing. You do not need to be successfully verified to do this step.

Focus areas

We are most interested in critical vulnerabilities that allow access to customer PII data (user's profile's and CV's) or SEEK corporate data and access to SEEK's internal network.

For Certsy, we are most interested in critical vulnerabilities that allow access to customer PII and sensitive data (user profiles, CVs, identity documents, credential evidence, verified data, etc) or SEEK corporate data and access to SEEK’s internal network.

Rules & Out of Scope

• DO NOT interact or affect existing customers during testing. This includes things like posting a job not using the instructions above, which could result in real customers applying for your test job ads!!
• Automated vulnerability scanning tools are strictly prohibited.
• SEEK regularly blocks attacks from users performing suspicious activity. All email addresses belonging to researchers should be your @bugcrowdninja.com.

Exclusions

• Cookie flags ie. Secure, HTTPOnly.
• Volume related issues ie. Brute-force, rate-limiting, denial of service.
• Social engineering of any kind against SEEK employees or its users
• Email configuration ie. SPF, DKIM, DMARC.
• Error pages ie. verbose error messages, stack traces, invalid status codes.
• Admin or maintenance pages ie. monitoring system login pages, pages with no sensitive information.
• Clickjacking ie. missing X-Frame-Options header.
• CSRF on unauthenticated resources ie. login/logout, pages with anonymous access, non-sensitive information.
• Mobile issues that require root access or unsupported OS versions ie. credentials in Android SharedPreferences.
• Non-sensitive exposed API keys ie. Google Maps, Raygun.
• Absent or misconfigured HTTP headers ie. Content-Security-Policy, Strict-Transport-Security, X-XSS-Protection, Cache-Control.
• Configuration that is not directly exploitable ie. weak TLS ciphers, password policy, session expiration, certificate pinning.