For this program, we're inviting researchers to test SEEK's web applications and services - with a focus of identifying security weaknesses that might lead to the compromise of our customer data (mainly, job seekers profiles and resumes).
Thank you for participating!
For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that a vulnerability priority will be modified due to its likelihood and impact. In any instance where an issue is downgraded, SEEK will provide a reasonable justification to the researcher.
To maximize your reward and payout time frame, please make sure to include the following in your report:
For P1/P2 issues, we aim to complete our triage within one business week of the issue being reported. For other issues, it may take us up to three business weeks to triage the issue.
Last updated 16 January 2019 01:12:36 UTC
Technical severity | Reward range
p1 Critical | $5,000 - $10,000
p2 Severe | $700 - $5,000
p3 Moderate | $200 - $700
p4 Low | $50 - $100
P5 submissions do not receive any rewards for this program.
Target name | Type
*.seek.com.au | Website
<https://seekcdn.com> | Other
Seek iOS and Android mobile applications | Other
*.skinfra.xyz | Website
*.myseek.xyz | Website
*.outfra.xyz | Website
*.sol-data.com | API
*.jobapi.net | API
*.jobapi.io | API
Any domain/property of SEEK not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
Domains outside of
*.seek.com.au typically have less impact for SEEK, and
thus may impact the reward amount.
www.seek.com.au - Gives jobseekers a way to search and apply for jobs
posted by advertisers (companies, recruiters, etc who post jobs). Jobseekers
are able to upload a CV (resume), add profile information through the
talent.seek.com.au - Designed for advertisers to post jobs onto
www.seek.com.au and manage jobseekers who apply for the job.
*.cloud.seek.com.au - Customer facing API's.
*.outfra.xyz - Are used to host SEEK's
corporate services and API's that are not designed to be accessed or consumed
directly by customers but instead by SEEK employees and services.
iOS and Android Mobile Applications
*.jobapi.io - Used for capturing search
metrics, search API's including jobs, locations, salaries, etc.
Some of these domains may not return any content by themselves, but are used within the context of typical application usage - e.g. authentication flows. Some of these domains do host sites / API's but most of them should be for SEEK employees only.
Most of SEEK's products are hosted on Amazon Web Services (AWS), are built using .NET, Nodejs, Golang, SQL Server and non relational databases. Both the iOS and Android applications are built using native frameworks, libraries and languages.
Please sign up for accounts on
using your @bugcrowdninja.com email address. For more info regarding
@bugcrowdninja email addresses, see
When posting jobs on
talent.seek.com.au only post jobs using the following
Job title (must contain) : "Bugcrowd - Do Not Apply”
Job location : Russia & Eastern Europe
Job ad classification : Farming, Animals & Conservation -> Farm Management
DO NOT post Premium Ads, upgrade to Premium Ads or apply for Guaranteed Hire.
We are most interested in critical vulnerabilities that allow access to customer PII data (user's profile's and CV's) or SEEK corporate data and access to SEEK's internal network.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Contact us if you want more information.