In order to show its appreciation for security researchers who follow responsible disclosure principles, HireITpeople, Inc. is offering a monetary reward program for researchers who provide assistance with identifying and correcting certain Qualifying Vulnerabilities within the scope of this program.
Scope Covered by this Program
- The HireITpeople website which resides at https://www.hireitpeople.com/.
Scope not Covered by this Program
- Any domain or subdomain other than https://www.hireitpeople.com/
- Third-party applications and software (including those distributed with, used by, or integrated into HireITpeople website.)
- Vulnerabilities that exist in the operating system onto which HireITpeople is installed.
- Vulnerabilities in software produced or maintained by companies owned by or affiliated with HireITpeople. Vulnerabilities in this software should be reported to these companies directly and are not within the scope of this bounty program.
- Vulnerabilities in infrastructure operated by or associated with HireITpeople, Inc.
Responsible Disclosure of Vulnerabilities in HireITpeople
To be eligible for a bounty under this program, you must be the first to report a Qualifying Vulnerability within the scope of this program. You must also adhere to HireITpeople’s Responsible Disclosure policy. This means:
- After discovering a vulnerability in the covered software, you must submit the initial report to firstname.lastname@example.org. Reports of vulnerabilities submitted via other channels may not be considered eligible for any bounty reward.
- HireITpeople’s Security Team will evaluate your report to determine whether or not it is a vulnerability in the covered software.
- HireITpeople’s Security Team may ask for additional clarification from the reporter, assistance in replicating the vulnerability, or assistance in determining the best course of action for mitigating the vulnerability. The reporter is expected to provide timely responses to these inquiries.
- HireITpeople’s Security Team will implement fixes for the vulnerability, if necessary.
- HireITpeople’s Security Team will distribute the fixes to customers.
- After sufficient time has passed for our customers to upgrade to fixed versions of our software, HireITpeople will release a detailed disclosure statement that explains the scope of the vulnerabilities that have been addressed.
- After the detailed disclosure has been released, HireITpeople will provide a reward to the researchers who have maintained confidentiality with HireITpeople throughout the process.
- HireITpeople will not discuss whether a vulnerability is within the scope of this program or any payout terms before the full Responsible Disclosure process has been completed.
Examples of Qualifying Vulnerabilities
Any design or implementation issue within HireITpeople that substantially affects the confidentiality or integrity of user data or the system is likely to be within the scope of this program. Common examples include:
- Cross-Site Scripting
- Cross-Site Request Forgery
- Privilege escalation
- Authentication or Authorization flaws
- Information disclosure flaws that allow users with limited privileges to view data they should not have access to
- SQL injection flaws that cross privilege boundaries
Examples of Non-Qualifying Vulnerabilities
Although HireITpeople assesses each report on a case-by-case basis, some reports simply do not qualify for reward. Common examples of reports that typically do not qualify for reward include:
- Local Denial of Service attacks. HireITpeople may consider vulnerabilities within this category to merit a bounty if they allow users with very limited privileges to disable services without sustained effort.
- Logout Cross-Site Request Forgery attacks.
- Flaws which require the use of out of date browsers, plugins, operating systems, or other client-side applications.
- Flaws which exist only in unsupported versions of HireITpeople .
- Vulnerabilities that are only exploitable when security controls in the software are intentionally disabled.
- Vulnerabilities that require physical access to the systems being attacked.
- Any actions performed intentionally by a user with proper authorization.
- Any vulnerabilities that require an element of social engineering to succeed.
- Aspects of the software that are not directly exploitable, but constitute potential hardening measures. While we appreciate input about methods to harden HireITpeople, such discussions are not within the scope of this program.
- Behaviors or vulnerabilities within third-party software shipped with or used by HireITpeople that has not been modified by HireITpeople.
Confidentiality During the Responsible Disclosure Process
HireITpeople strives to address vulnerabilities in a timely and responsible fashion in order to protect our customers from unnecessary risk. We expect researchers to share this goal and maintain full confidentiality of any vulnerabilities they discover until these flaws are fully remediated and responsibly disclosed. Failure to maintain confidentiality with HireITpeople regarding a vulnerability during the full timeframe required for HireITpeople to evaluate, fix, and disclose the vulnerability will be considered a breach of trust by the researcher and will result in the loss of any bounty that would otherwise be due for the discovery of the vulnerability.
HireITpeople considers ANY public discussion of a vulnerability, even hints at the existence of such a vulnerability, to be a breach of these confidentiality requirements. Further, sharing information regarding a vulnerability with any third-parties during the time required for HireITpeople to address the vulnerability will also be considered a breach. Failure to maintain confidentiality during the resolution of a vulnerability will result in disqualification of the specific vulnerability disclosed and may result in the reporter being barred from any future rewards under this program.
Any tax consequences resulting from the payment of a reward are the recipient’s sole responsibility. Depending on the recipient’s country of residency and citizenship, additional restrictions (such as international and local laws) may limit the ability of a reporter to receive a reward or impose additional requirements on HireITpeople or the reporter. When direct payment is not possible or desired, reporters of qualifying vulnerabilities will be given the option to donate the bounty reward to a non-profit charity of their choosing from a list of eligible charities provided by HireITpeople.
HireITpeople, in its sole discretion, shall determine the eligibility of all submissions and amount of any final reward offered. Additionally, HireITpeople may discontinue the reward program at any time with or without notice. HireITpeople, Inc. staff and their family, friends, neighbors, associates, etc., are not eligible to receive any rewards under this program.
In cases where multiple parties (including HireITpeople itself) independently discover the same vulnerability, only the first party to discover the vulnerability will be credited for the finding or awarded any bounty under this program.
HireITpeople likes to give public recognition to individuals and companies that assist with fixing security vulnerabilities, but understands that some vulnerability reporters do not desire public acknowledgement. If you desire to remain anonymous, meaning no public mention of you or your company, please let us know.