#About#
Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.
Through this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.
Find a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.
#Guidelines#
Rewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:
- Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, greenhouse.io, onboarding.greenhouse.io
- If you're using your company's Greenhouse account, testing is not permitted without prior written authorization from Greenhouse.
- We do not provide test accounts.
- Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.
- Social engineering attacks against employees are out-of-bounds and will not be accepted.
- Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.
- Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.
- If we catch you using a scanner against our applications you may be subject to being banned from our bounty
- You are not an individual on, or residing in any country on, any U.S. sanctions lists.
- You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue
Submissions without a working PoC will likely be rejected
Submissions of pre-validated, compromised passwords from leaked databases will be paid out at $10 per leaked production credentials with a upper limit of $500. Reports should include the source of the leak as part of the submission. Splitting up submissions to abuse the upper limit will not be paid out.
#Response Times#
| Action | Target |
| --- | ---| --- |
| Time to first response | 3 days
| Time to triage | 7 days
#Known Issues, Ineligible For Reward#
These issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc.
- Login/Logout CSRF/XSRF
- Email configuration (SPF, DKIM, DMARC)
- SSL/TLS ciphers or denial of service issues
- Diffie-Hellman parameters
- Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages
- No Strict-Transport-Security header
- Content Security Policy configuration issues
- Issue related to links or forms outside of the greenhouse.io or grnh.se domains
- Broken links on our company landing page, blog or marketing webpages
- Problems related to widely publicized CVE's
- DDoS
- Downstream providers we do not control (e.g. Marketo)
- Denial of service issues on form input length
- io.greenhouse.recruiting (Mobile Applications)
- Paywall bypass reports against Interseller. Testing of payment functionality is out of scope for the bug bounty
- Leaked API keys due to a customer issues or mis-configuration will not be eligible for bounties.
- Submissions of password leaks that have not been pre-validated by the researcher will not be eligible for bounties
- Header injection vulnerabilities (including CRLF injection) on marketing pages (greenhouse.com, greenhouse.io)
