About

Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.

Through this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.

Find a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.

Guidelines

Rewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:

• Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, greenhouse.io, onboarding.greenhouse.io

• If you're using your company's Greenhouse account, testing is not permitted without prior written authorization from Greenhouse.

• We do not provide test accounts.

• Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.

• Social engineering attacks against employees are out-of-bounds and will not be accepted.

• Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.

• Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.

• If we catch you using a scanner against our applications you may be subject to being banned from our bounty

• You are not an individual on, or residing in any country on, any U.S. sanctions lists.

• You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue

Submissions without a working PoC will likely be rejected

Response Times

| Action | Target |

| --- | ---| --- |

| Time to first response | 3 days

| Time to triage | 7 days

Known Issues, Ineligible For Reward

These issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc.

• Login/Logout CSRF/XSRF

• Email configuration (SPF, DKIM, DMARC)

• SSL/TLS ciphers or denial of service issues

• Diffie-Hellman parameters

• Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages

• No Strict-Transport-Security header

• Content Security Policy configuration issues

• Issue related to links or forms outside of the greenhouse.io or grnh.se domains

• Broken links on our company landing page, blog or marketing webpages

• Problems related to widely publicized CVE's

• DDoS

• Downstream providers we do not control (e.g. Marketo)

• Denial of service issues on form input length

• io.greenhouse.recruiting (Mobile Applications)