SEEK

  • $50 – $10,000 per vulnerability
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 340
  • Validation within 4 days 75% of submissions are accepted or rejected within 4 days
  • Average payout $150 within the last 3 months

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program or engagement does not allow disclosure. You may not release information about vulnerabilities found in this program or engagement to the public.

For this program, we're inviting researchers to test SEEK's web applications and services - with a focus of identifying security weaknesses that might lead to the compromise of our customer data (mainly, job seekers profiles and resumes).

Thank you for participating!

A Few Important Requirements for SEEK:

  • Denial of Service, Rate Limiting, and other automated attacks are not allowed. Please do NOT use automated tooling when conducting testing on SEEK assets.
  • All testing must be conducted using your @bugcrowdninja.com email ID only. If you fail to use your @Bugcrowdninja.com email ID, you run the risk of getting blocked from accessing SEEK applications.
  • Customer instances are not to be accessed in any way (i.e. no customer data is accessed, customer credentials are not to be used or "verified")
  • SEEK welcome receiving submissions from researchers who have found breached credentials. SEEK reserves the right to treat each submission and any option to reward on a case by case basis.
    • If you believe you have found sensitive customer data (e.g., login credentials, API keys etc) or a way to access customer data (i.e. through a vulnerability) report it, but do not attempt to successfully validate if/that it works.

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that a vulnerability priority will be modified due to its likelihood and impact. In any instance where an issue is downgraded, SEEK will provide a reasonable justification to the researcher.

To maximize your reward and payout time frame, please make sure to include the following in your report:

  • An attack scenario: What is the most likely way an attacker could abuse this vulnerability?
  • Clear reproduction steps: If we can't easily replicate what you are describing, we may not consider the issue as serious.
  • Recommended fix: If you have any good ideas on ways to mitigate the risk without impacting normal users, your submission will have more value.

Triage SLA

For P1/P2 issues, we aim to complete our triage within one business week of the issue being reported. For other issues, it may take us up to three business weeks to triage the issue.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.