At Inflection, we're always looking for ways we can improve the security of our software. We know that no technology is perfect, and that's why we believe in working with the security community to find and squash vulnerabilities in our code.. If you send us a report, we'll do our best to respond to you within 3 business days and make a bounty determination after validating a legitimate security issue within 10 business days. We’ll try to keep you informed about our progress throughout the process as well.

Program Rules

• You must follow these program rules, which include HackerOne's disclosure guidelines __, for your report to be eligible for a reward.
• Please check the list of out-of-scope and known issues before submitting a report. For example, if you submit a report relating to Denial of Service, when that is an excluded issue, we will close the report as Not Applicable.
• Social engineering of Inflection staff and contractors, or physical attempts against Inflection property, are strictly prohibited.
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report, unless you can chain the vulnerabilities.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Issues found through automated testing or scanner-generated reports are unlikely to be rewarded with a bounty, as we already run automated tests against our infrastructure.
• Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.
• We do not currently provide non-sandboxed accounts for testing purposes.

Rewards

Our rewards are based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of our Security Team. While we generally try to follow CVSS scoring guidelines to determine impact, other factors may affect the severity that we ultimately choose to assign to a vulnerability. For example, reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information) may be considered “Low” instead of “Medium” severity.

Critical severity bugs - minimum $2000:

• Remote Code Execution
• Vertical Authentication bypass
• SQL Injection that leaks targeted data

High severity bugs - minimum $750:

• Lateral authentication bypass
• Stored XSS (excluding unexploitable self-XSS)
• Local file inclusion
• Insecure handling of authentication cookies

Medium severity bugs - minimum $100:

• Reflected XSS
• Insecure Direct Object References
• CSRF on sensitive actions and functions

Low severity bugs - $0 (not eligible for bounty):

• Installation path or directory structure disclosures
• Referer header information leaks
• Any other bugs that are extremely limited in scope, require extensive exploit chaining, or can only be activated under unlikely circumstances

Scope

The following properties are in scope. If you have any questions about scope, please ask us at security@inflection.com BEFORE performing any testing.

• *.goodhire.com

Please note that www.goodhire.com __is hosted on HubSpot. Depending on the nature of the vulnerability you report, we may direct you to HubSpot's bug bounty program instead.

The following properties are explicitly out of scope. For now, please do not test against against these properties:

• *.inflection.com

If you identify any scopes not listed above that you believe belong to Inflection, please let us know at security@inflection.com BEFORE performing any testing.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout/login CSRF.
• Attacks requiring MITM or physical access to a user's device.
• Host header injection
• Previously-known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Missing best practices in HTTP header configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Spamming/rate-limiting/brute-force issues (e.g. repeatedly sending password reset requests or login attempts)
• Account/email enumeration issues
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Referer header leaks

Known Issues

The following issues are already known to our Security team - please do not submit new reports related to them, as they will be considered duplicates.

• GoodHire users are not currently required to enter their current password when setting a new password.
• GoodHire users do not receive a notification email when their account email or password is changed.
• The HubSpot CMS (used for www.goodhire.com __, theworks.goodhire.com, and content.goodhire.com) does not implement several HTTP security headers such as X-Frame-Options

Thank you for helping keep Inflection and our users safe!