At Inflection, we're always looking for ways we can improve the security of
our software. We know that no technology is perfect, and that's why we believe
in working with the security community to find and squash vulnerabilities in
our code.. If you send us a report, we'll do our best to respond to you within
3 business days and make a bounty determination after validating a legitimate
security issue within 10 business days. We’ll try to keep you informed about
our progress throughout the process as well.
- You must follow these program rules, which include HackerOne's disclosure guidelines __, for your report to be eligible for a reward.
- Please check the list of out-of-scope and known issues before submitting a report. For example, if you submit a report relating to Denial of Service, when that is an excluded issue, we will close the report as Not Applicable.
- Social engineering of Inflection staff and contractors, or physical attempts against Inflection property, are strictly prohibited.
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report, unless you can chain the vulnerabilities.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Issues found through automated testing or scanner-generated reports are unlikely to be rewarded with a bounty, as we already run automated tests against our infrastructure.
- Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.
- We do not currently provide non-sandboxed accounts for testing purposes.
Our rewards are based on the impact of a vulnerability. Please note these are
general guidelines and examples, and that reward decisions are up to the
discretion of our Security Team. While we generally try to follow CVSS scoring
guidelines to determine impact, other factors may affect the severity that we
ultimately choose to assign to a vulnerability. For example, reflected XSS
that has minimal impact (only works in some browsers, can’t be used to steal
session information) may be considered “Low” instead of “Medium” severity.
Critical severity bugs - minimum $2000:
- Remote Code Execution
- Vertical Authentication bypass
- SQL Injection that leaks targeted data
High severity bugs - minimum $750:
- Lateral authentication bypass
- Stored XSS (excluding unexploitable self-XSS)
- Local file inclusion
- Insecure handling of authentication cookies
Medium severity bugs - minimum $100:
- Reflected XSS
- Insecure Direct Object References
- CSRF on sensitive actions and functions
Low severity bugs - $0 (not eligible for bounty):
- Installation path or directory structure disclosures
- Referer header information leaks
- Any other bugs that are extremely limited in scope, require extensive exploit chaining, or can only be activated under unlikely circumstances
The following properties are in scope. If you have any questions about scope,
please ask us at email@example.com BEFORE performing any testing.
Please note that www.goodhire.com __is hosted on
HubSpot. Depending on the nature of the vulnerability you report, we may
direct you to HubSpot's bug bounty program instead.
The following properties are explicitly out of scope. For now, please do not
test against against these properties:
If you identify any scopes not listed above that you believe belong to
Inflection, please let us know at
firstname.lastname@example.org BEFORE performing any testing.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario /
exploitability, and (2) security impact of the bug. The following issues are
considered out of scope:
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Attacks requiring MITM or physical access to a user's device.
- Host header injection
- Previously-known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Missing best practices in HTTP header configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Spamming/rate-limiting/brute-force issues (e.g. repeatedly sending password reset requests or login attempts)
- Account/email enumeration issues
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Referer header leaks
The following issues are already known to our Security team - please do not
submit new reports related to them, as they will be considered duplicates.
- GoodHire users are not currently required to enter their current password when setting a new password.
- GoodHire users do not receive a notification email when their account email or password is changed.
- The HubSpot CMS (used for www.goodhire.com __, theworks.goodhire.com, and content.goodhire.com) does not implement several HTTP security headers such as X-Frame-Options
Thank you for helping keep Inflection and our users safe!
Hall of Fame