28487 policies in database
Link to program      
2014-08-16
2019-08-06
Greenhouse.io logo
Thank
Gift
HOF
Reward

Reward

100 $ 

Greenhouse.io

About

Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.

Through this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.

Find a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.

Guidelines

Rewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:

  • Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, greenhouse.io, onboarding.greenhouse.io

  • If you're using your company's Greenhouse account, testing is not permitted without prior written authorization from Greenhouse.

  • We do not provide test accounts.

  • Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.

  • Social engineering attacks against employees are out-of-bounds and will not be accepted.

  • Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.

  • Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.

  • If we catch you using a scanner against our applications you may be subject to being banned from our bounty

  • You are not an individual on, or residing in any country on, any U.S. sanctions lists.

  • You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue

Submissions without a working PoC will likely be rejected

Response Times

| Action | Target |

| --- | ---| --- |

| Time to first response | 3 days

| Time to triage | 7 days

Known Issues, Ineligible For Reward

These issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc.

  • Login/Logout CSRF/XSRF

  • Email configuration (SPF, DKIM, DMARC)

  • SSL/TLS ciphers or denial of service issues

  • Diffie-Hellman parameters

  • Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages

  • No Strict-Transport-Security header

  • Content Security Policy configuration issues

  • Issue related to links or forms outside of the greenhouse.io or grnh.se domains

  • Broken links on our company landing page, blog or marketing webpages

  • Problems related to widely publicized CVE's

  • DDoS

  • Downstream providers we do not control (e.g. Marketo)

  • Denial of service issues on form input length

  • io.greenhouse.recruiting (Mobile Applications)

In Scope

Scope Type Scope Name
web_application

api.greenhouse.io

web_application

app.greenhouse.io

web_application

jss.greenhouse.io

web_application

support.greenhouse.io

web_application

onboarding.greenhouse.io

web_application

boards.greenhouse.io

web_application

www.greenhouse.io

Out of Scope

Scope Type Scope Name
web_application

community.greenhouse.io

web_application

resources.greenhouse.io

web_application

store.greenhouse.io


The public program Greenhouse.io on the platform Hackerone has been updated on 2019-08-06, The lowest reward is 100 $.

FireBounty © 2015-2022

Legal notices