submit bug report: https://bugcrowd.com/indeedOur Mission:
At Indeed, our mission is to help people get jobs.
Since 2004, Indeed has given job seekers free access to millions of jobs from thousands of company websites and job boards. As the leading pay-for-performance recruitment advertising network, Indeed drives millions of targeted applicants to jobs in every field and is the most cost-effective source of candidates for thousands of companies.
We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems. Please read through the following details to help you focus on the areas most important to us.
Indeed may award an additional reward bonus for exceptional reports. This will be done at Indeed’s discretion. Good luck, and happy hunting!
Testing Requirement
Create your Job Seeker and Employer accounts with a +bugbounty to avoid moderation locking your account for suspicious activity. Example:
[email protected]Include bugbounty in the company title you create and do not attempt to misrepresent yourself as a real company.
Where possible, add text bugbounty to requests you are sending to our applications, so our team can identify the traffic being generated as part of your testing.
Program Ground Rules
Respect our users' privacy.
Leave the Site as you found it.
Don't violate our Terms of Service or the law.
Don't impact our services.
No interacting with others.
Cooperate with Indeed.
Participation Eligibility.
Follow Bugcrowd's rules.
Respect our users’ privacy.
If during your research you happen to encounter any information about another user or other individual, immediately stop and report this to Indeed. To participate in this program, you only need to explain the technical vulnerability you discovered.
You must avoid any viewing, copying, altering, destroying, or otherwise interacting with any data, in particular data of other individuals, to which you may gain access through this research. If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating the vulnerability; cease testing, and submit a report immediately if you encounter any user data during testing. This may include Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
Leave the site as you found it.
Do not copy, save, store, transfer, disclose, or otherwise retain any information you find on our site during your research, except to report your research to Indeed.
Don't violate our Terms of Service or the law.
All access to our Site must otherwise be in accordance with our Terms of Service and all applicable laws.
In the event you access PII or other sensitive data, note that you are required to follow all laws and regulations applicable to the access and processing of such personally identifiable information and/or data, such as the California Consumer Privacy Act of 2018, the California Privacy Rights Act of 2020, New York Privacy Act 2021, once they become effective, and the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679), including the European Commission’s Standard Contractual Clauses regarding the transfer of personal data to processors.
Don't impact our services.
You must avoid causing any interruption or degradation of our services. Researchers who are found to be using aggressive automated tools will be blocked and removed from the program.
No interacting with others.
Any form of interaction with others on or through our Site, including but not limited to other Indeed users, is strictly prohibited. Close any active test jobs immediately after testing. Do not make any attempts to phish users or employees.
Cooperate with Indeed.
You will be expected to cooperate with us if we request your assistance in connection with your research.
Participation Eligibility.
Current employees or contractors of Indeed are not eligible to participate in the program. Former employees and contractors are eligible to participate in the program only, if:
they have left Indeed more than 1 year prior to submission, and
they are not making use of, or referring to, any non-public Indeed information obtained when they were an employee or contractor.
Follow Bugcrowd’s rules.
This program follows Bugcrowd’s standard disclosure terms.
Severity, Rewards & Reporting
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified using the methodology defined below. In an instance where an issue is downgraded, Indeed will try to provide a detailed explanation to the researcher - along with the opportunity to appeal, and make a case for a higher priority. However, the final discretion remains with Indeed.
When we are determining severity, the following descriptions are not meant to be absolute categorizations. Severity depends on potential damage to the business and clients, ease of abuse, how much we can actually fix, size of the user base, and sensitivity of the data. Note: A high severity finding on a demo application may be a P4 due to the low impact and non-sensitive data.
When we are determining rewards within a severity range, the difference between, for example, a High-P1 ($10,000) and a Low-P1 ($4,000) would depend on the number of prerequisites required, the difficulty, the impact and the likelihood of exploitation.
For those reasons, we recommend providing:
An attack scenario: what is the most likely way an attacker actually abuses said vulnerability.
Clear, numbered reproduction steps: if we can't easily reproduce what you are describing, we may misinterpret the issue or severity.
A video PoC: for more complicated exploits.
Impact: your understanding of the impact to Indeed or its users if an attacker exploits the said vulnerability
Recommended fix: if you have any good ideas on ways to mitigate the risk without impacting normal users, it would be appreciated.
Severity Description Examples
P1 Vulnerabilities on Indeed applications that have the potential to: (1) affect most users, (2) disclose highly sensitive data, or (3) have a high impact on business operations. RCE on backend systems, authentication bypass leading to account compromise, privilege escalations from unprivileged to Admin or cross-organizational lateral movement, sensitive data exposure of Job Seeker or Employer PII
P2 Vulnerabilities that have the potential to: (1) affect many users, (2) disclose sensitive data, (3) could lead to reputational or substantial business loss, or(4) affect the security or availability of individual processes or services. Stored XSS, exposed API credentials, subdomain takeovers on *.indeed.com
P3 Vulnerabilities that can affect multiple or individual users with little to no user interaction, or only have security implications within an organizational context. Reflected XSS, Intra-organizational privilege escalations, misconfigured CORS.
P4 Issues that affect multiple or individual users and may require user interaction or significant prerequisites to exploit. The potential business or user impact is likely low, or sensitivity of the data considered to be low. URL Redirects, Debug information, Some Intra-organizational privilege escalations.
BugCrowd Vulnerability Rating Taxonomy (VRT) Exceptions
Some types of issues do not present a significant enough risk to Indeed, and are usually not accepted. Any submission of these types will only be rewardable if significant risk and impact can be demonstrated.
HTML injection
Self-XSS
Vulns only exploitable on out of date browsers or platforms
Information disclosure with minor security impact (pathing, stack traces, etc.)
SPF/DMARC/DKIM record missing on a domain
Vulns that require physical access or root accounts
Helpful Tips For Your Testing
Different Accounts Types and Roles: Job seekers and employer accounts have access to different features and views. You may want to set up test accounts as both. Organizations can have multiple employer accounts, each with different RBAC defined roles. See
https://indeed.force.com/employerSupport1/s/article/206589143?language=en_US to learn more.
Group similar submissions: We ask that researchers who are able to identify the same or similar types of issues in multiple locations, across one of our applications combine those findings into a single submission that includes a description as well as the various locations where vulnerabilities have been identified.
Localization: Indeed is an international company with many different subdomains for different countries, running the same applications in different languages, example: mx.indeed.com, ca.indeed.com, in.indeed.com, vn.indeed.com. Localized versions can share the same codebase and therefore, a vulnerability found on many may only be eligible to be rewarded once.
Third party applications: For third party applications, such as Wordpress, they will only be eligible for reward if there is action Indeed can take to mitigate issues identified, A good example of something we wouldn't payout for is the output of WPScan showing recently out of date plugins, since regular patching is part of our WP management. An example of something we would payout for is a POC showing unintended behavior that isn't in a vendor patch.
Disclosing results: This bounty requires explicit permission to disclose the results of a submission.
Documentation: Developer API portal & documentation:
https://developer.indeed.com/