💚 Our Mission

Helping people everywhere find jobs and companies they love.

At Glassdoor we take our security very seriously and welcome any responsible disclosure of potential gaps in our systems. We believe that working with skilled security researchers across the globe is crucial in providing a trusted and secure service to help people everywhere find jobs and companies they love.Please read through the following details to help you focus on the areas most important to us.

Additionally, Glassdoor may award an additional reward bonus for exceptional reports. This will be done at Glassdoor's discretion. Good luck, and happy hunting!

---

#🧪 Testing Requirements:

==Please do not perform any testing on live bowls or real company pages. All testing must happen in our approved WeAreHackerOne bowl (or private test bowls you create) or the Acme/Winkler Web Design company pages. Failure to comply may result in disqualification from our program.==

Create your Glassdoor account with +hackerone: Example [email protected]
Where possible, add text bugbounty to requests you are sending to our applications, so our team can identify the traffic being generated as part of your testing.

Testing Glassdoor Payloads:

Use our test companies Acme Corp and/or Winkler Web Designs - please DO NOT test against other companies which you don't have explicit permission to. To get invited to both or either of the companies fill out the following Google Form and we will do our best to invite you as soon as possible

Testing Fishbowl Payloads:

Register on Fishbowl using your HackerOne email Alias. Example [email protected]. In doing so you will be automatically included in the company bowl "We Are Hackerone". For more information on how the HackerOne email Alias works see the following documentation

---

#📜 Program Ground Rules

• Respect our users' privacy.
• Leave the Site as you found it.
• Do not violate our Terms of Service or the law.
• Do not impact our services.
• No interacting with others.
• Cooperate with Glassdoor.
• Participation Eligibility.
• Follow Hackerone's Code of Conduct.

Respect our users' privacy.

If during your research you happen to encounter any information about another user or other individual, immediately stop and report this to Glassdoor. To participate in this program, you only need to explain the technical vulnerability you discovered.

You must avoid any viewing, copying, altering, destroying, or otherwise interacting with any data, in particular data of other individuals, to which you may gain access through your research. If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating the vulnerability; cease testing, and submit a report immediately if you encounter any user data during testing. This may include Personally Identifiable Information (PII), Diversity and Inclusion data, or Proprietary Information.

Leave the Site as you found it.

Do not copy, save, store, transfer, disclose, or otherwise retain any information you find on our site during your research, except to report your research to Glassdoor.

Don't violate our Terms of Service or the law.

All access to our Site must otherwise be in accordance with our Terms of Service and all applicable laws. In the event you access PII or other sensitive data, note that you are required to follow all laws and regulations applicable to the access and processing of such personally identifiable information and/or data, such as the California Consumer Privacy Act of 2018, the California Privacy Rights Act of 2020, New York Privacy Act 2021, once they become effective, and the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679), including the European Commission’s Standard Contractual Clauses regarding the transfer of personal data to processors

Don't impact our services.

You must avoid causing any interruption or degradation of our services. Researchers who are found to be using aggressive automated tools will be reported to Hackerone for non co-operation.

No interacting with others.

Any form of interaction with others on or through our Site, including but not limited to other Glassdoor users, is strictly prohibited. Do not make any attempts to phish users or employees.

Cooperate with Glassdoor.

You will be expected to cooperate with us if we request your assistance in connection with your research.

Participation Eligibility.

Current employees or contractors of Glassdoor are not eligible to participate in the program. Former employees and contractors are eligible to participate in the program only, if:

• they have left Glassdoor more than 1 year prior to submission, and
• they are not making use of, or referring to, any non-public Glassdoor information obtained when they were an employee or contractor.

Follow Hackerone's Code of Conduct.

A researcher you are expected to follow Hackerone's Code of Conduct.

---

ℹ️ Helpful Tips For Your Testing:

• Group similar submissions: We ask that researchers who are able to identify the same or similar types of issues in multiple locations, across one of our applications combine those findings into a single submission that includes a description as well as the various locations where vulnerabilities have been identified.
• Localization: Glassdoor is an international company with many different subdomains for different countries, running the same applications in different languages. Localized versions can share the same codebase and therefore, a vulnerability found on many may only be eligible to be rewarded once.
• Third party applications: For third party applications, such as Wordpress or Salesforce, will only be eligible for reward if there is a reasonable action Glassdoor can take to mitigate issues identified. A good example of something we wouldn't payout for is the output of WPScan showing recently out of date plugins, since regular patching is part of our WP management. An example of something we would payout for is a POC showing unintended behavior that isn't in a vendor patch, which is in our ability to fix.
• Disclosing results: This bounty requires explicit permission to disclose the results of a submission.

---

🎯 Target Overviews

Fishbowl

Different Accounts Types and Roles: 

• Student Account: An account linked to a school email address allowing access to that school's bowl.
• Professional: A regular account can be tied to organization or personal email.

Note: Any difference in role based access between the Professional and Student account does not necessarily indicate a secuirty risk.

Glassdoor

Different Accounts Types and Roles: 

• General User: Typical user access
• Employer User: Glassdoor Employee Center Guide

---

📰 Legal Terms:

By participating in Glassdoor’s Bug Bounty program (the “Program”), you acknowledge that you have read and agree to Glassdoor’s Terms of Use as well as the following:

• Your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.
• You agree that any and all information acquired or accessed by you while participating in the program is confidential to Glassdoor and you shall hold the confidential information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer, or otherwise dispose of, give or disclose such information to third parties or use such information for any purposes other than for the performance of your work under the Program.
• You acknowledge and agree that any and all information you encounter is owned by Glassdoor or its third-party providers, users, or customers. You have no rights, title, or ownership to any information that you may encounter.
• Any activities conducted in a manner consistent with these terms and the Program will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under these terms and the Program, we may take steps to make it known that your actions were conducted in compliance with the terms and the Program, in our sole discretion. Glassdoor cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability for actions performed on third parties.
• This is not a competition, but rather a discretionary rewards program. The decision to pay or not pay a reward is in our sole discretion.
• We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g., Cuba, Iran, North Korea, Syria, Crimea, and the so-called Donetsk People's Republic and Luhansk People's Republic) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.
• You are solely responsible for any applicable taxes and/or withholdings, arising from or relating to your participation in the Program, including from any bounty payments.
• We reserve the right to terminate or discontinue the Program at any time, in our sole discretion.

Thank you for helping keep Glassdoor and our users safe!