Join our
Bug B
unty Program
Your skills in identifying security flaws can make all the difference--help us fortify and be rewarded
About the program
Recruit CRM’s bug bounty program is a reward system to incentivize security researchers and ethical hackers for identifying and reporting software, services, or network vulnerabilities.
This program is a win-win as it helps us improve our cybersecurity posture by leveraging external expertise and, in return, offers financial or recognition-based rewards to those who identify and responsibly disclose security flaws.
- Reward: $75 per unique security vulnerability reported with the solution, as approved by our team.
How to report a vulnerability?
If you’ve discovered a potential security issue within our software, services, or networks, we encourage you to report it
responsibly through our Bug Bounty Program. Follow the steps below to ensure your submission is eligible for rewards.
1
2
3
Prepare a detailed report
- Steps to reproduce: Provide a clear document on replicating the vulnerability, including any necessary data, configurations, or environment details.
- Potential impact: Explain the possible consequences of the vulnerability on our systems, data, or users, highlighting the severity and urgency of the issue.
- Recommended fixes: Suggest potential solutions or mitigation strategies to resolve the vulnerability, offering insights into preventing similar issues in the future.
Submit your report
- Email submission: Send your detailed report to contact@recruitcrm.io
- Subject line: Ensure your email subject clearly states it’s a Bug Bounty Report for easier identification.
Await our response
- Review your submission: We will assess the validity and severity of the reported vulnerability.
- Acknowledgment: After reviewing, we will acknowledge receipt of your report within 2 working days. The team will also provide feedback, request additional information, and outline the next steps.
Eligible and ineligible bugs
What’s in and out of scope
In-scope assets
- Web applications
- Mobile applications
- Publicly accessible network infrastructure
Out-of-scope assets
- Internal network
- Third-party services
- Non-production environments
- Denial of service and spam
- Social engineering (Attacks or methods that involve manipulating people (e.g., phishing, impersonation))
Types of vulnerabilities considered out of scope
- Clickjacking on pages without sensitive actions.
- Issues requiring physical access to the user’s device.
- User interactions that are improbable or negligible in real-world scenarios.
- Vulnerabilities related to outdated software not used in production
Rules and regulations
Essential rules for participants
Testing guidelines
- No service disruption: Do not perform any testing that could result in downtime or degrade the quality of our services.
- No physical attacks: Do not engage in physical attacks on our infrastructure, such as server tampering.
- Avoid automated scanning: Refrain from using automated scanners that may produce excessive traffic.
Disclosure policy
- Confidentiality: Do not disclose any vulnerabilities publicly until they have been resolved and with our explicit permission.
- Non-disclosure: Participants are not permitted to disclose details of their findings to third parties under any circumstances.
Other guidelines
- Payment: Payout only for the first report of each type of vulnerability reported
- Employee relations: No employee, contractor, or acquaintance of someone who works with Recruit CRM can participate in this program without fully disclosing their relationship with Recruit CRM.
