Join our
Bug B
unty Program
Your skills in identifying security flaws can make all the difference--help us fortify and be rewarded
About the program
Recruit CRM’s bug bounty program is a reward system to incentivize security researchers and ethical hackers for identifying and reporting software, services, or network vulnerabilities.
This program is a win-win as it helps us improve our cybersecurity posture by leveraging external expertise and, in return, offers financial or recognition-based rewards to those who identify and responsibly disclose security flaws.
- Reward
| Severity | Rewards amount |
|---|---|
| Critical | $75 |
| High | $50 |
| Low | $25 |
$75/$50/$25 per unique security vulnerability reported with the solution, as approved by our team
How to report a vulnerability?
If you’ve discovered a potential security issue within our software, services, or networks, we encourage you to report it responsibly through our Bug Bounty Program. Follow the steps below to ensure your submission is eligible for rewards.
1
2
3
Prepare a detailed report
- Steps to reproduce: Provide a clear document on replicating the vulnerability, including any necessary data, configurations, or environment details.
- Potential impact: Explain the possible consequences of the vulnerability on our systems, data, or users, highlighting the severity and urgency of the issue.
- Recommended fixes: Suggest potential solutions or mitigation strategies to resolve the vulnerability, offering insights into preventing similar issues in the future.
Submit your report
- Email submission: Send your detailed report to contact@recruitcrm.io
- Subject line: Ensure your email subject clearly states it’s a Bug Bounty Report for easier identification.
Await our response
- Review your submission: We will assess the validity and severity of the reported vulnerability.
- Acknowledgment: After reviewing, we will acknowledge receipt of your report within 2 working days. The team will also provide feedback, request additional information, and outline the next steps.
Eligible and ineligible bugs
What’s in and out of scope
In-scope assets
- Web applications
- Mobile applications
- Publicly accessible network infrastructure
Out-of-scope assets
- Internal network
- Third-party services
- Non-production environments
- Denial of service and spam
- Social engineering (Attacks or methods that involve manipulating people (e.g., phishing, impersonation))
Types of vulnerabilities considered out of scope
- Clickjacking on pages without sensitive actions.
- Issues requiring physical access to the user’s device.
- User interactions that are improbable or negligible in real-world scenarios.
- Vulnerabilities related to outdated software not used in production
- Issues found through automated testing
- Scanner-generated reports
- Publicly released bugs in internet software within 3 days of their disclosure
- "Advisory" reports without specific Recruit CRM testing
- Vulnerabilities requiring physical or remote access to the victim’s unlocked device
- Brute Force attacks
- Spam or Social Engineering techniques, including:
- SPF and DKIM issues
- Content injection
- Hyperlink injection in emails
- IDN homograph attacks
- RTL Ambiguity
- Content Spoofing
- Issues relating to Password Policy
- Full-Path Disclosure
- Version number information disclosure
- Clickjacking on pre-authenticated pages
- CSRF-able actions that do not require authentication (or a session) to exploit
- Reports related to the following security-related headers:
- Strict Transport Security (HSTS)
- XSS mitigation headers (X-Content-Type and X-XSS-Protection)
- X-Content-Type-Options
- Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
- Bugs that do not represent any security risk
- Security bugs in third-party services
- Submissions from former RecruitCRM employees within one year of their departure from the organization.
Bugs defined based on the severity
We value responsible disclosure and appreciate your efforts in making our platform more secure!
Critical severity bugs
- SQL Injection
- Remote Code Execution
- Privilege Escalation affecting all accounts
- Broken Authentication affecting all accounts
- SSRF to an internal service, with extremely critical impact (e.g., immediate and direct security risk)
- And other critical-severity issues
- Information leaks or disclosure (including customer data)
High severity bugs
- Cross-Site Scripting (XSS)
- Information leaks or disclosure of customer data
- And other high-severity issues
Low severity bugs
- Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
- Broken Authentication affecting a single account
- Privilege Escalation affecting a single account
- SSRF to an internal service hosted by RecruitCRM
- "Tab-Nabbing" or other rel="noopener" bugs
- Self-XSS (XSS requiring interaction other than browsing to exploit)
- And other low and medium-severity issues
Rules and regulations
Essential rules for participants
Testing guidelines
- No service disruption: Do not perform any testing that could result in downtime or degrade the quality of our services.
- No physical attacks: Do not engage in physical attacks on our infrastructure, such as server tampering.
- Avoid automated scanning: Refrain from using automated scanners that may produce excessive traffic.
Disclosure policy
- Confidentiality: Do not disclose any vulnerabilities publicly until they have been resolved and with our explicit permission.
- Non-disclosure: Participants are not permitted to disclose details of their findings to third parties under any circumstances.
Other guidelines
- Payment: Payout only for the first report of each type of vulnerability reported
- Employee relations: No employee, contractor, or acquaintance of someone who works with Recruit CRM can participate in this program without fully disclosing their relationship with Recruit CRM.
- Clear & detailed reports: Submissions must include proof-of-concept steps and sufficient details to reproduce the issue.
- Original vulnerabilities only: Reported issues must be previously unknown and not publicly disclosed.
- Authorized testing only: You may only test against accounts you own or those for which you have explicit permission.
- Final decision authority: Recruit CRM reserves the right to determine whether a reported issue qualifies for a bounty.
Found any bugs?
Report to contact@recruitcrm.io
- This program is subject to change. Please review it regularly for updates.
