At Hirevue, we are committed to the security of our products and the protection of our customers' data. We value the crucial role that security researchers play in helping us maintain a safe and secure environment. If you believe you've discovered a potential security vulnerability in a Hirevue product, we encourage you to report it to us.
This policy outlines how to report vulnerabilities, what you can expect from us, and our general guidelines for security research. We aim to follow the principles of coordinated vulnerability disclosure as outlined in ISO 29147.
Reporting a Potential Vulnerability
We encourage you to share the details of any suspected vulnerabilities with the Hirevue Security Team through one of the following channels:
- Email: [email protected]
- HackerOne: You can submit reports via our HackerOne program.
- If you've identified a potential vulnerability and are not yet part of our HackerOne program, please email us at [email protected] with a brief description of the finding. If it appears to be an eligible issue, we'll be happy to invite you.
What to Include in Your Report
To help us understand and address the issue efficiently, please include the following in your report:
- A clear description of the vulnerability, including the affected product or service.
- Technical details, including steps to reproduce the vulnerability.
- The potential impact of the vulnerability.
- Any proof-of-concept code or screenshots, if applicable.
- Your contact information.
Our Commitment & Disclosure Process
Hirevue is dedicated to working collaboratively with security researchers:
- Acknowledgement: We will make our best effort to acknowledge receipt of your vulnerability report within 2 business days.
- Triage & Validation: Our security team will investigate and validate the reported vulnerability. We will aim to confirm the existence of the vulnerability and determine its severity.
- Communication: We will strive to keep you informed of our progress as we work to remediate the vulnerability. Please allow a reasonable timeframe for us to address the issue.
- Resolution: We are committed to remediating validated vulnerabilities in a timely manner, considering the potential impact and complexity.
- Coordinated Disclosure: We believe in coordinated disclosure. Once a vulnerability is remediated, we are open to discussing public disclosure with you. We prefer to agree on a disclosure timeline that ensures our users are protected.
Guidelines for Security Researchers
We ask that your research and reporting adhere to the following guidelines:
- Act Responsibly: Conduct your research in a way that avoids harm to Hirevue, our users, and our services.
- Focus on In-Scope Assets: Our primary product offerings are in scope. HireVue's marketing site (www.hirevue.com) is generally considered out of scope for bounty rewards. Findings related to this site will be treated as informational, though we still appreciate you bringing them to our attention.
- Specific Findings: Please submit reports that detail specific, verifiable vulnerabilities. Generic reports about potential issues without a clear attack vector or proof-of-concept are less actionable. We are primarily interested in exploitable vulnerabilities, not general security best practice recommendations unless they highlight a specific, unaddressed risk.
- Automated Tools: While we understand the utility of automated tools, please use them responsibly to avoid disrupting our services or generating excessive traffic. Reports from automated tools should include clear analysis and demonstrate an actual security impact, not just potential findings.
- Good Faith: We expect all submissions to be made in good faith. Please do not submit reports for issues that you haven't reasonably verified.
- Respect Privacy: Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- Designated Channels: Please use only the designated [email protected] email or our HackerOne program for vulnerability submissions.
Safe Harbor
When conducting vulnerability research according to this policy, we consider your research to be authorized and will not initiate or recommend legal action against you. We request that you comply with all applicable laws and the guidelines of this policy. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Bounty Program
To show our appreciation for responsible security researchers, Hirevue may offer rewards such as swag and/or monetary bounties for reports of qualifying security vulnerabilities.
- Eligibility: The decision to grant a reward, as well as its nature and amount, is at Hirevue's sole discretion.
- Factors: Rewards are generally based on the severity, impact, and quality of the report. Well-written reports with clear reproduction steps are more likely to qualify for a bounty.
We want to reward your valuable work in helping us secure our platform.
Exclusions
While we encourage security research, the following activities are strictly prohibited:
- Denial of Service (DoS or DDoS) attacks or any actions that could disrupt our services.
- Spamming of any kind.
- Social engineering (including phishing) of Hirevue employees, contractors, or customers.
- Any physical attempts against Hirevue property, data centers, or employees.
- Accessing or attempting to access accounts or data you do not own or have explicit permission to access.
- Exfiltrating, destroying, or modifying any Hirevue or customer data.
If you are unsure whether your planned research activities fall within these exclusions, please contact us at [email protected] beforehand.
Thank You!
We sincerely appreciate your efforts in helping us keep Hirevue and our users safe. We look forward to working with the security community to create a more secure digital environment.
