16807 policies in database
Link to program      
2014-08-16
2019-08-06
Greenhouse.io logo
Thank
Gift
HOF
Reward

Reward

100 $ 

Greenhouse.io

About

Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.

Through this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.

Find a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.

Guidelines

Rewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:

  • Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, greenhouse.io, onboarding.greenhouse.io
  • If you're using your company's Greenhouse account, testing is not permitted without prior written authorization from Greenhouse.
  • We do not provide test accounts.
  • Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.
  • Social engineering attacks against employees are out-of-bounds and will not be accepted.
  • Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.
  • Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.
  • If we catch you using a scanner against our applications you may be subject to being banned from our bounty
  • You are not an individual on, or residing in any country on, any U.S. sanctions lists.
  • You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue

Submissions without a working PoC will likely be rejected

Response Times

Action Target
Time to first response 3 days
Time to triage 7 days

Known Issues, Ineligible For Reward

These issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc.

  • Login/Logout CSRF/XSRF
  • Email configuration (SPF, DKIM, DMARC)
  • SSL/TLS ciphers or denial of service issues
  • Diffie-Hellman parameters
  • Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages
  • No Strict-Transport-Security header
  • Content Security Policy configuration issues
  • Issue related to links or forms outside of the greenhouse.io or grnh.se domains
  • Broken links on our company landing page, blog or marketing webpages
  • Problems related to widely publicized CVE's
  • DDoS
  • Downstream providers we do not control (e.g. Marketo)
  • Denial of service issues on form input length

In Scope

Scope Type Scope Name
android_application

io.greenhouse.recruiting

android_application

https://play.google.com/store/apps/details?id=io.greenhouse.recruiting&hl=en\_US

ios_application

io.greenhouse.recruiting

ios_application

io.greenhouse.recruiting

ios_application

io.greenhouse.events

ios_application

https://itunes.apple.com/us/app/greenhouse-recruiting/id1112028249?mt=8

ios_application

https://itunes.apple.com/us/app/greenhouse-events/id1297671795?mt=8

web_application

api.greenhouse.io

web_application

app.greenhouse.io

web_application

jss.greenhouse.io

web_application

support.greenhouse.io

web_application

onboarding.greenhouse.io

web_application

boards.greenhouse.io

web_application

www.greenhouse.io

web_application

https://developers.greenhouse.io/harvest.html

web_application

https://developers.greenhouse.io/job-board.html#retrieve-a-department

Out of Scope

Scope Type Scope Name
web_application

community.greenhouse.io

web_application

resources.greenhouse.io


The public program Greenhouse.io on the platform Hackerone has been updated on 2019-08-06, The lowest reward is 100 $.

FireBounty © 2015-2021

Legal notices