Responsible Disclosure Policy
OpenJobs welcomes security researchers and developers to help us identify vulnerabilities in our platform. We've received a number of low-effort or invalid reports in the past, so this policy exists to set clear expectations: what we review, what we need from you, and what you can expect from us in return. We only review and reward High and Critical severity security vulnerabilities.
Who Can Participate
This program is open to external security researchers and developers. OpenJobs employees, contractors, and their immediate family members are not eligible to participate or receive rewards under this program.
Our Commitment
- We will acknowledge receipt of your report within 5 business days.
- We will investigate every report in good faith and keep you updated on our progress.
- We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, in accordance with this policy.
- We will not require you to disclose your identity publicly, but we're happy to credit you if you'd like.
- We will notify you once a verified issue has been fixed.
Your Responsibilities
By submitting a report, you agree to:
- Test only against your own OpenJobs account(s). Do not access, view, modify, or exfiltrate data belonging to other users.
- Access only the minimum data necessary to demonstrate the vulnerability — stop as soon as you've confirmed it exists.
- Delete any data obtained through testing once your report is submitted.
- Not publicly disclose (blog post, social media, conference talk, forum, etc.) any details of a vulnerability before we've confirmed a fix is deployed, or before we've reached written agreement on a disclosure timeline.
- Not use denial-of-service (DoS/DDoS) techniques, social engineering, or phishing against OpenJobs systems, employees, or contractors.
- Not attempt physical access to OpenJobs offices, devices, or infrastructure.
- Submit findings only through our official Bug Bounty submission form — not by public post, social media, or unsolicited contact with employees.
Violating any of the above disqualifies a report from reward eligibility, regardless of the vulnerability's validity.
Severity Definitions
We evaluate severity based on real-world impact, not just technical classification.
Unauthenticated access to another user's account or data; ability to access another employer's applicant or candidate data; full account takeover without user interaction.
Bypassing authentication or authorization to view another user's dashboard or data; privilege escalation from a standard account to an employer or admin-level account.
Issues requiring extensive user interaction or self-targeted exploitation (such as reflected XSS only exploitable in your own browser console), minor UI/logic inconsistencies, or informational findings without a demonstrated path to impact.
Scope
In scope
- The OpenJobs web application (openjobshq.com), including job seeker and employer-facing areas
- Nova Labs AI search and matching features
- Applicant Tracker and employer dashboard
- Authentication, account management, and session handling
- APIs supporting any of the above
Out of scope
- Denial of service or load-testing findings
- Spam, social engineering, or phishing techniques
- Physical attacks against OpenJobs team members or facilities
- Vulnerabilities in third-party services we don't directly maintain (e.g., hosting, payment processors, embedded widgets) — please report these to the respective vendor instead
- Issues that require physical access to a user's device
- Domain/DNS/email configuration findings (e.g., missing SPF/DKIM) without a demonstrated, working exploit
- Issues already known to us or already on our engineering roadmap
- Automated scanner output without manual validation and a working proof of concept
What Counts as a Unique Vulnerability
Multiple findings that stem from the same underlying root cause — for example, the same authentication flaw demonstrated across several different endpoints — are treated as a single submission for reward purposes. We determine uniqueness based on root cause, not the number of places a symptom can be reproduced.
Disclosure Timeline
Please give us reasonable time to investigate and remediate before sharing anything publicly. We ask for a minimum of 90 days from your report date, or until we confirm a fix, whichever comes first. We'll keep you updated throughout. Public disclosure before resolution, or without our written agreement, disqualifies the submission from reward.
Reward Eligibility
- Rewards are issued only after a report is verified as legitimate, confirmed as High or Critical severity, and a fix has shipped.
- Each unique, verified vulnerability earns one month of OpenJobs Pro, applied to the account tied to your submission.
- Rewards are cumulative — three verified, unique vulnerabilities earn three months, and so on.
- Only the first valid report of a given issue is rewarded; duplicate reports of an already-known or already-submitted vulnerability are not.
- We reserve the right to revoke a reward and reclaim any associated Pro months if we later determine a report was fabricated, self-inflicted, obtained through prohibited testing methods, or submitted in bad faith.
- OpenJobs determines severity, validity, and reward eligibility at its sole discretion.
Program Terms
This program is offered at OpenJobs' discretion and may be modified, paused, or discontinued at any time without notice. Submitting a report does not guarantee a reward.
Acknowledgment
By submitting a report through our Bug Bounty form, you confirm you've read, understood, and agree to this Responsible Disclosure Policy — including the requirement to keep vulnerability details confidential until a fix is confirmed.
Questions
For questions about this policy or the program, contact us at osindy@openjobshq.com.