Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.
Through this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.
Find a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.
Rewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:
Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, greenhouse.io, onboarding.greenhouse.io
If you're using your company's Greenhouse account, testing is not permitted without prior written authorization from Greenhouse.
We do not provide test accounts.
Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.
Social engineering attacks against employees are out-of-bounds and will not be accepted.
Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.
Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.
If we catch you using a scanner against our applications you may be subject to being banned from our bounty
You are not an individual on, or residing in any country on, any U.S. sanctions lists.
You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue
Submissions without a working PoC will likely be rejected
| Action | Target |
| --- | ---| --- |
| Time to first response | 3 days
| Time to triage | 7 days
These issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc.
Email configuration (SPF, DKIM, DMARC)
SSL/TLS ciphers or denial of service issues
Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages
No Strict-Transport-Security header
Content Security Policy configuration issues
Issue related to links or forms outside of the greenhouse.io or grnh.se domains
Broken links on our company landing page, blog or marketing webpages
Problems related to widely publicized CVE's
Downstream providers we do not control (e.g. Marketo)
Denial of service issues on form input length
io.greenhouse.recruiting (Mobile Applications)
|Scope Type||Scope Name|
|Scope Type||Scope Name|
The public program Greenhouse.io on the platform Hackerone has been updated on 2019-08-06, The lowest reward is 100 $.