[{"id":3771407,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, greenhouse.io, onboarding.greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks against employees are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\n**Submissions without a working PoC will likely be rejected**\n\nSubmissions of  pre-validated, compromised passwords from leaked databases will be paid out at $10 per leaked production credentials with a upper limit of $500. Reports should include the source of the leak as part of the submission. Splitting up submissions to abuse the upper limit will not be paid out. \n\n#Response Times#\n| Action | Target |\n| --- | ---| --- |\n| Time to first response | 3 days\n| Time to triage | 7 days\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers or denial of service issues\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages\n* No Strict-Transport-Security header\n* Content Security Policy configuration issues\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Broken links on our company landing page, blog or marketing webpages\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n* Denial of service issues on form input length\n* io.greenhouse.recruiting (Mobile Applications)\n* Paywall bypass reports against Interseller. Testing of payment functionality is out of scope for the bug bounty\n* Leaked API keys due to a customer issues or mis-configuration will not be eligible for bounties.\n* Submissions of  password leaks that have not been pre-validated by the researcher will not be eligible for bounties\n* Header injection vulnerabilities (including CRLF injection) on marketing pages (greenhouse.com, greenhouse.io)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Leaked Credentials (Unvalidated)\",\"details\":\"Bulk credential dumps or combo lists that have not been individually pre-validated against Greenhouse login endpoints. To be eligible for a bounty, each credential must be confirmed as valid by the researcher prior to submission. Unvalidated dumps will be marked N/A.\"}"],"timestamp":"2026-03-19T23:33:00.509Z"},{"id":3768167,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, greenhouse.io, onboarding.greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks against employees are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\n**Submissions without a working PoC will likely be rejected**\n\nSubmissions of  pre-validated, compromised passwords from leaked databases will be paid out at $10 per leaked production credentials with a upper limit of $500. Reports should include the source of the leak as part of the submission. Splitting up submissions to abuse the upper limit will not be paid out. \n\n#Response Times#\n| Action | Target |\n| --- | ---| --- |\n| Time to first response | 3 days\n| Time to triage | 7 days\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers or denial of service issues\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages\n* No Strict-Transport-Security header\n* Content Security Policy configuration issues\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Broken links on our company landing page, blog or marketing webpages\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n* Denial of service issues on form input length\n* io.greenhouse.recruiting (Mobile Applications)\n* Paywall bypass reports against Interseller. Testing of payment functionality is out of scope for the bug bounty\n* Leaked API keys due to a customer issues or mis-configuration will not be eligible for bounties.\n* Submissions of  password leaks that have not been pre-validated by the researcher will not be eligible for bounties\n* Header injection vulnerabilities (including CRLF injection) on marketing pages (greenhouse.com, greenhouse.io)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-09T17:20:54.285Z"},{"id":3765248,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, greenhouse.io, onboarding.greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks against employees are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\n**Submissions without a working PoC will likely be rejected**\n\nSubmissions of  pre-validated, compromised passwords from leaked databases will be paid out at $10 per leaked production credentials with a upper limit of $500. Reports should include the source of the leak as part of the submission. Splitting up submissions to abuse the upper limit will not be paid out. \n\n#Response Times#\n| Action | Target |\n| --- | ---| --- |\n| Time to first response | 3 days\n| Time to triage | 7 days\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers or denial of service issues\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages\n* No Strict-Transport-Security header\n* Content Security Policy configuration issues\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Broken links on our company landing page, blog or marketing webpages\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n* Denial of service issues on form input length\n* io.greenhouse.recruiting (Mobile Applications)\n* Paywall bypass reports against Interseller. Testing of payment functionality is out of scope for the bug bounty\n* Leaked API keys due to a customer issues or mis-configuration will not be eligible for bounties.\n* Submissions of  password leaks that have not been pre-validated by the researcher will not be eligible for bounties\n* Header injection vulnerabilities (including CRLF injection) on greenhouse.io\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-28T19:05:46.624Z"},{"id":3722225,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, greenhouse.io, onboarding.greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks against employees are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\n**Submissions without a working PoC will likely be rejected**\n\nSubmissions of  pre-validated, compromised passwords from leaked databases will be paid out at $10 per leaked production credentials with a upper limit of $500. Reports should include the source of the leak as part of the submission. Splitting up submissions to abuse the upper limit will not be paid out. \n\n#Response Times#\n| Action | Target |\n| --- | ---| --- |\n| Time to first response | 3 days\n| Time to triage | 7 days\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers or denial of service issues\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages\n* No Strict-Transport-Security header\n* Content Security Policy configuration issues\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Broken links on our company landing page, blog or marketing webpages\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n* Denial of service issues on form input length\n* io.greenhouse.recruiting (Mobile Applications)\n* Paywall bypass reports against Interseller. Testing of payment functionality is out of scope for the bug bounty\n* Leaked API keys due to a customer issues or mis-configuration will not be eligible for bounties.\n* Submissions of  password leaks that have not been pre-validated by the researcher will not be eligible for bounties\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-01T18:32:30.199Z"},{"id":3713451,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, greenhouse.io, onboarding.greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks against employees are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\n**Submissions without a working PoC will likely be rejected**\n\nSubmissions of  pre-validated, compromised passwords from leaked databases will be paid out at $10 per leaked production credentials with a upper limit of $500. Reports should include the source of the leak as part of the submission. Splitting up submissions to abuse the upper limit will not be paid out. \n\n#Response Times#\n| Action | Target |\n| --- | ---| --- |\n| Time to first response | 3 days\n| Time to triage | 7 days\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers or denial of service issues\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages\n* No Strict-Transport-Security header\n* Content Security Policy configuration issues\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Broken links on our company landing page, blog or marketing webpages\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n* Denial of service issues on form input length\n* io.greenhouse.recruiting (Mobile Applications)\n* Paywall bypass reports against Interseller. Testing of payment functionality is out of scope for the bug bounty\n* Leaked API keys due to a customer issues or mis-configuration will not be eligible for bounties.\n* Submissions of  a password leaks that have not be pre-validated by the research will not be eligible for bounties\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-29T20:19:17.130Z"},{"id":3705193,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, greenhouse.io, onboarding.greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks against employees are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\n**Submissions without a working PoC will likely be rejected**\n\n#Response Times#\n| Action | Target |\n| --- | ---| --- |\n| Time to first response | 3 days\n| Time to triage | 7 days\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers or denial of service issues\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages\n* No Strict-Transport-Security header\n* Content Security Policy configuration issues\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Broken links on our company landing page, blog or marketing webpages\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n* Denial of service issues on form input length\n* io.greenhouse.recruiting (Mobile Applications)\n* Paywall bypass reports against Interseller. Testing of payment functionality is out of scope for the bug bounty\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-13T21:25:44.476Z"},{"id":3652793,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, greenhouse.io, onboarding.greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks against employees are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\n**Submissions without a working PoC will likely be rejected**\n\n#Response Times#\n| Action | Target |\n| --- | ---| --- |\n| Time to first response | 3 days\n| Time to triage | 7 days\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers or denial of service issues\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages\n* No Strict-Transport-Security header\n* Content Security Policy configuration issues\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Broken links on our company landing page, blog or marketing webpages\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n* Denial of service issues on form input length\n* io.greenhouse.recruiting (Mobile Applications)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-27T16:05:35.819Z"},{"id":3648606,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, greenhouse.io, onboarding.greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks against employees are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\n**Submissions without a working PoC will likely be rejected**\n\n#Response Times#\n| Action | Target |\n| --- | ---| --- |\n| Time to first response | 3 days\n| Time to triage | 7 days\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers or denial of service issues\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages\n* No Strict-Transport-Security header\n* Content Security Policy configuration issues\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Broken links on our company landing page, blog or marketing webpages\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n* Denial of service issues on form input length\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-02-11T00:22:40.713Z"},{"id":3646924,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, greenhouse.io, onboarding.greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks against employees are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\n**Submissions without a working PoC will likely be rejected**\n\n#Response Times#\n| Action | Target |\n| --- | ---| --- |\n| Time to first response | 3 days\n| Time to triage | 7 days\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers or denial of service issues\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages\n* No Strict-Transport-Security header\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Broken links on our company landing page, blog or marketing webpages\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n* Denial of service issues on form input length\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-16T22:33:39.277Z"},{"id":3606501,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, greenhouse.io, onboarding.greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks against employees are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\n**Submissions without a working PoC will likely be rejected**\n\n#Response Times#\n| Action | Target |\n| --- | ---| --- |\n| Time to first response | 3 days\n| Time to triage | 7 days\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers or denial of service issues\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages\n* No Strict-Transport-Security header\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n* Denial of service issues on form input length\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-03-29T19:33:19.262Z"},{"id":3606421,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, greenhouse.io, onboarding.greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks against employees are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\n**Submissions without a working PoC will likely be rejected**\n\n#Response Times#\n| Action | Target |\n| --- | ---| --- |\n| Time to first response | 3 days\n| Time to triage | 5 days\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers or denial of service issues\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages\n* No Strict-Transport-Security header\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n* Denial of service issues on form input length\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-03-28T20:43:56.660Z"},{"id":3606420,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, greenhouse.io, onboarding.greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks on employees are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\n**Submissions without a working PoC will likely be rejected**\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers or denial of service issues\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages\n* No Strict-Transport-Security header\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n* Denial of service issues on form input length\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-03-28T20:22:43.223Z"},{"id":3606418,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, greenhouse.io, onboarding.greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks on employees are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\n**Submissions without a working PoC will likely be rejected**\n\nRewards are made for reports validated by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Vulnerabilities that affect the Confidentiality, Integrity or Accessibility of a non critical asset | $250 USD |\n| Medium | Vulnerabilities that can be leveraged for social engineering.  | $500 USD |\n| High | Authenticated, unauthorized access to sensitive customer data. | $1,000 USD |\n| Critical | Unauthenticated access to customer data; Code execution. | $2,000+ USD |\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers or denial of service issues\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages\n* No Strict-Transport-Security header\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n* Denial of service issues on form input length\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-03-28T20:20:26.703Z"},{"id":3598034,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, www.greenhouse.io, greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\n**Submissions without a working PoC will likely be rejected**\n\nRewards are made for reports validated by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Vulnerabilities that affect the Confidentiality, Integrity or Accessibility of a non critical asset | $250 USD |\n| Medium | Vulnerabilities that can be leveraged for social engineering.  | $500 USD |\n| High | Authenticated, unauthorized access to sensitive customer data. | $1,000 USD |\n| Critical | Unauthenticated access to customer data; Code execution. | $2,000+ USD |\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers or denial of service issues\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages\n* No Strict-Transport-Security header\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n* Denial of service issues on form input length\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-13T16:17:13.259Z"},{"id":3598033,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, www.greenhouse.io, greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\n**Submissions without a working PoC will likely be rejected**\n\nRewards are made for reports validated by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $250 USD |\n| Medium | Vulnerabilities that can be leveraged for social engineering.  | $500 USD |\n| High | Authenticated, unauthorized access to sensitive customer data. | $1,000 USD |\n| Critical | Unauthenticated access to customer data; Code execution. | $2,000+ USD |\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers or denial of service issues\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages\n* No Strict-Transport-Security header\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n* Denial of service issues on form input length\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-13T16:16:39.248Z"},{"id":3568907,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, www.greenhouse.io, greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\n**Submissions without a working PoC will likely be rejected**\n\nRewards are made for reports validated by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers or denial of service issues\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages\n* No Strict-Transport-Security header\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n* Denial of service issues on form input length\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-02-14T14:49:54.036Z"},{"id":3568839,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, www.greenhouse.io, greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\n**Submissions without a working PoC will likely be rejected**\n\nRewards are made for reports validated by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers or denial of service issues\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options) or login pages\n* No Strict-Transport-Security header\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-02-13T15:20:20.170Z"},{"id":3549758,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, www.greenhouse.io, greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\n**Submissions without a working PoC will likely be rejected**\n\nRewards are made for reports validated by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n* no Strict-Transport-Security header\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-23T14:52:41.724Z"},{"id":3548148,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, www.greenhouse.io, greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n* If we catch you using a scanner against our applications you may be subject to being banned from our bounty\n* You are not an individual on, or residing in any country on, any U.S. sanctions lists.\n* You must provide a clear, detailed, and working proof of concept (PoC) that exploits the security issue\n\nRewards are made for reports validated by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. \n* Login/Logout CSRF/XSRF\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n* no Strict-Transport-Security header\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Problems related to widely publicized CVE's\n* DDoS\n* Downstream providers we do not control (e.g. Marketo)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-03T20:33:17.349Z"},{"id":3547924,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, www.greenhouse.io, greenhouse.io\n* If you're using your company's Greenhouse account, testing is **not permitted** without prior written authorization from Greenhouse.\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports validated by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n* no Strict-Transport-Security header\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Problems related to widely publicized CVE's\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-02-28T21:36:53.870Z"},{"id":2598635,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\nWe're hiring for a Security Engineer to hack on the Greenhouse applications full-time: http://grnh.se/4t2n8i\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, www.greenhouse.io, greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n* no Strict-Transport-Security header\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n* Problems related to widely publicized CVE's\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-05-05T17:39:41.663Z"},{"id":2475920,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\nWe're hiring for a Security Engineer to hack on the Greenhouse applications full-time: http://grnh.se/4t2n8i\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, www.greenhouse.io, greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n* no Strict-Transport-Security header\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-04-10T15:22:43.060Z"},{"id":2475918,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\nWe're hiring for a Security Engineer to hack on the Greenhouse applications full-time: http://grnh.se/4t2n8i\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, www.greenhouse.io, greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n* no Strict-Transport-Security header\n* Issue related to links or forms outside of the greenhouse.io or grnh.se domains\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-04-10T15:20:27.084Z"},{"id":2470663,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\nWe're hiring for a Security Engineer to hack on the Greenhouse applications full-time: http://grnh.se/4t2n8i\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io, www.greenhouse.io, greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n* no Strict-Transport-Security header\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-04-08T17:04:41.054Z"},{"id":2467774,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\nWe're hiring for a Security Engineer to hack on the Greenhouse applications full-time: http://grnh.se/4t2n8i\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not eligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n* no Strict-Transport-Security header\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-04-07T21:11:02.085Z"},{"id":2185596,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not eligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n* no Strict-Transport-Security header\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-01-21T14:59:33.434Z"},{"id":2185590,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not eligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n* Strict-Transport-Security header (Greenhouse is intentionally accessible over both HTTP and HTTPS)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-01-21T14:58:03.018Z"},{"id":2105720,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not eligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n#Known Issues, Ineligible For Reward#\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T22:38:09.778Z"},{"id":2105713,"new_policy":"#About#\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n#Known Issues, Inelligible For Reward#\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T22:32:41.491Z"},{"id":2105712,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n#Known Issues, Inelligible For Reward#\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T22:32:14.288Z"},{"id":2105709,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n#Guidelines#\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T22:31:50.886Z"},{"id":2105696,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it and it's within the guidelines below we'll send you a reward.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T22:29:41.382Z"},{"id":2105695,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm it we'll send you a reward.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T22:29:01.195Z"},{"id":2105689,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report here. If we confirm your report we'll send you a reward.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T22:28:14.873Z"},{"id":2105681,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\nFind a security flaw in Greenhouse? Submit a report, we'll confirm your findings and reward you for your work.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Limited but possible impact of the security of our service. | $100 USD |\n| High | Possible unauthorized access to confidential customer data. | $1,000 USD |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T22:26:14.114Z"},{"id":2105649,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| --- | ---| --- |\n| Low | Could significantly impact the security of our service. | $100 USD |\n| High | Could allow an attacker unauthorized access to confidential customer data. | $1,000 USD |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T22:14:51.553Z"},{"id":2105647,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n| - | -| - |\n| Low | Could significantly impact the security of our service. | $100 USD |\n| High | Could allow an attacker unauthorized access to confidential customer data. | $1,000 USD |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T22:13:42.611Z"},{"id":2105646,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity | Criteria | Minimum Reward |\n|-|-|-|\n| Low | Could significantly impact the security of our service. | $100 USD |\n| High | Could allow an attacker unauthorized access to confidential customer data. | $1,000 USD |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T22:13:13.514Z"},{"id":2105638,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains eligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not eligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports validated by Greenhouse according to these standards:\n\n| Severity      | Criteria           | Minimum Reward |\n| ------------- | -------------| -----|\n| Low      | Could significantly impact the security of our service. | $100 |\n| High      | Could allow an attacker unauthorized access to confidential customer data.    |   $1,000 |\n\n__Known Issues, Ineligible For Reward__\nThese issues are not eligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T22:06:19.315Z"},{"id":2105620,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity      | Criteria           | Minimum Reward |\n| ------------- | -------------| -----|\n| Low      | Could significantly impact the security of our service. | $100 |\n| High      | Could allow an attacker unauthorized access to confidential customer data.    |   $1,000 |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:57:03.529Z"},{"id":2105616,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reports valided by Greenhouse according to these standards:\n\n| Severity      | Criteria           | Minimum Reward |\n| ------------- | -------------| -----|\n| Low      | Could significantly impact the security of our service. | $100 |\n| High      | Could allow an attacker unauthorized access to confidential customer data.    |   $1,000 |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:54:08.037Z"},{"id":2105613,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and will not be accepted.\n\nRewards are made for reported and validated security issues according to these standards:\n\n| Severity      | Criteria           | Minimum Reward |\n| ------------- | -------------| -----|\n| Low      | Could significantly impact the security of our service. | $100 |\n| High      | Could allow an attacker unauthorized access to confidential customer data.    |   $1,000 |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:53:23.315Z"},{"id":2105612,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or a proof-of-concept will not be accepted as original work and no reward will be given.\n\nRewards are made for reported and validated security issues according to these standards:\n\n| Severity      | Criteria           | Minimum Reward |\n| ------------- | -------------| -----|\n| Low      | Could significantly impact the security of our service. | $100 |\n| High      | Could allow an attacker unauthorized access to confidential customer data.    |   $1,000 |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:52:58.929Z"},{"id":2105611,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence or proof-of-concept will not be accepted as original work and no reward will be given.\n\nRewards are made for reported and validated security issues according to these standards:\n\n| Severity      | Criteria           | Minimum Reward |\n| ------------- | -------------| -----|\n| Low      | Could significantly impact the security of our service. | $100 |\n| High      | Could allow an attacker unauthorized access to confidential customer data.    |   $1,000 |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:52:31.678Z"},{"id":2105607,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope for this bounty program; usability, functionality, and programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence and a proof-of-concept will not be accepted as original work and no reward will be given.\n\nRewards are made for reported and validated security issues according to these standards:\n\n| Severity      | Criteria           | Minimum Reward |\n| ------------- | -------------| -----|\n| Low      | Could significantly impact the security of our service. | $100 |\n| High      | Could allow an attacker unauthorized access to confidential customer data.    |   $1,000 |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:50:29.185Z"},{"id":2105604,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope for this bounty program; usability, functionality, and general programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence and a proof-of-concept will not be accepted as original work and no reward will be given.\n\nRewards are made for reported and validated security issues according to these standards:\n\n| Severity      | Criteria           | Minimum Reward |\n| ------------- | -------------| -----|\n| Low      | Could significantly impact the security of our service. | $100 |\n| High      | Could allow an attacker unauthorized access to confidential customer data.    |   $1,000 |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:50:02.227Z"},{"id":2105599,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains not elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope for this program; usability, functionality, and general programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence and a proof-of-concept will not be accepted as original work and no reward will be given.\n\nRewards are made for reported and validated security issues according to these standards:\n\n| Severity      | Criteria           | Minimum Reward |\n| ------------- | -------------| -----|\n| Low      | Could significantly impact the security of our service. | $100 |\n| High      | Could allow an attacker unauthorized access to confidential customer data.    |   $1,000 |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:48:08.490Z"},{"id":2105595,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* **Domains not elligible for reward**: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope for this program; usability, functionality, and general programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence and a proof-of-concept will not be accepted as original work and no reward will be given.\n\nRewards are made for reported and validated security issues according to these standards:\n\n| Severity      | Criteria           | Minimum Reward |\n| ------------- | -------------| -----|\n| Low      | Could significantly impact the security of our service. | $100 |\n| High      | Could allow an attacker unauthorized access to confidential customer data.    |   $1,000 |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:47:16.690Z"},{"id":2105592,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains **not** elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope for this program; usability, functionality, and general programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence and a proof-of-concept will not be accepted as original work and no reward will be given.\n\nRewards are made for reported and validated security issues according to these standards:\n\n| Severity      | Criteria           | Minimum Reward |\n| ------------- | -------------| -----|\n| Low      | Could significantly impact the security of our service. | $100 |\n| High      | Could allow an attacker unauthorized access to confidential customer data.    |   $1,000 |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:46:31.581Z"},{"id":2105583,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains **not** elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope for this program; usability, functionality, and general programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence and a proof-of-concept will not be accepted as original work and no reward will be given.\n\nRewards are made for reported and validated security issues according to these standards:\n\n| Severity      | Description           | Minimum Reward |\n| ------------- | -------------| -----|\n| Low      | Could significantly impact the security of our service. | $100 |\n| High      | Could allow an attacker unauthorized access to confidential customer data.    |   $1,000 |\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:45:13.729Z"},{"id":2105571,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Rewards__\n\nRewards are made for reported and validated security issues according to these standards:\n\n| Severity      | Description           | Minimum Reward |\n| ------------- | -------------| -----|\n| Low      | Could significantly impact the security of our service. | $100 |\n| High      | Could allow an attacker unauthorized access to confidential customer data.    |   $1,000 |\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains **not** elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope for this program; usability, functionality, and general programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence and a proof-of-concept will not be accepted as original work and no reward will be given.\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:42:22.754Z"},{"id":2105566,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Rewards__\n\nRewards are made for reported and validated security issues according to these standards:\n\n* Interesting: Any vulnerability that could significantly impact the security of our service. Minimum reward: $100.\n* Severe: Any vulnerability that could allow an attacker unauthorized access to confidential customer data. Minimum reward: $1,000.\n\n| Severity      | Description           | Minimum Reward |\n| ------------- | -------------| -----|\n| Low      | Could significantly impact the security of our service. | $100 |\n| High      | Could allow an attacker unauthorized access to confidential customer data.    |   $1,000 |\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains **not** elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope for this program; usability, functionality, and general programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence and a proof-of-concept will not be accepted as original work and no reward will be given.\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:41:56.393Z"},{"id":2105561,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Rewards__\n\nRewards are made for reported and validated security issues according to these standards:\n\n* Interesting: Any vulnerability that could significantly impact the security of our service. Minimum bounty: $100.\n* Severe: Any vulnerability that could allow an attacker unauthorized access to confidential customer data. Minimum bounty: $1,000.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the discretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains **not** elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope for this program; usability, functionality, and general programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence and a proof-of-concept will not be accepted as original work and no reward will be given.\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:37:51.815Z"},{"id":2105560,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Rewards__\n\nRewards are made for reported and validated security issues according to these standards:\n\n* Interesting: Any vulnerability that could significantly impact the security of our service. Minimum bounty: $100.\n* Severe: Any vulnerability that could allow an attacker unauthorized access to confidential customer data. Minimum bounty: $1,000.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the descretion of Greenhouse:\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains **not** elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope for this program; usability, functionality, and general programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence and a proof-of-concept will not be accepted as original work and no reward will be given.\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:37:34.044Z"},{"id":2105559,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Rewards__\n\nRewards are made for reported and validated security issues according to these standards:\n\n* Interesting: Any vulnerability that could significantly impact the security of our service. Minimum bounty: $100.\n* Severe: Any vulnerability that could allow an attacker unauthorized access to confidential customer data. Minimum bounty: $1,000.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the complete descretion of Greenhouse.\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains **not** elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope for this program; usability, functionality, and general programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence and a proof-of-concept will not be accepted as original work and no reward will be given.\n\n__Known Issues, Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:35:38.550Z"},{"id":2105558,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bug bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Rewards__\n\nRewards are made for reported and validated security issues according to these standards:\n\n* Interesting: Any vulnerability that could significantly impact the security of our service. Minimum bounty: $100.\n* Severe: Any vulnerability that could allow an attacker unauthorized access to confidential customer data. Minimum bounty: $1,000.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the complete descretion of Greenhouse.\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains **not** elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope for this program; usability, functionality, and general programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence and a proof-of-concept will not be accepted as original work and no reward will be given.\n\n__Known Issues Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:34:56.560Z"},{"id":2105557,"new_policy":"Greenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Rewards__\n\nRewards are made for reported and validated security issues according to these standards:\n\n* Interesting: Any vulnerability that could significantly impact the security of our service. Minimum bounty: $100.\n* Severe: Any vulnerability that could allow an attacker unauthorized access to confidential customer data. Minimum bounty: $1,000.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the complete descretion of Greenhouse.\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains **not** elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope for this program; usability, functionality, and general programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence and a proof-of-concept will not be accepted as original work and no reward will be given.\n\n__Known Issues Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:34:21.287Z"},{"id":2105556,"new_policy":"__Introduction__\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Rewards__\n\nRewards are made for reported and validated security issues according to these standards:\n\n* Interesting: Any vulnerability that could significantly impact the security of our service. Minimum bounty: $100.\n* Severe: Any vulnerability that could allow an attacker unauthorized access to confidential customer data. Minimum bounty: $1,000.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the complete descretion of Greenhouse.\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains **not** elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope for this program; usability, functionality, and general programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence and a proof-of-concept will not be accepted as original work and no reward will be given.\n\n__Known Issues Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:33:49.766Z"},{"id":2105552,"new_policy":"__Introduction__\n\nGreenhouse is software to optimize your entire recruiting and onboarding process. Find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Rewards__\n\nRewards are made for reported and validated security issues according to these standards:\n\n* __Interesting:__ Any vulnerability that could significantly impact the security of our service. Minimum bounty: __$100__.\n* __Severe:__ Any vulnerability that could allow an attacker unauthorized access to confidential customer data. Minimum bounty: __$1,000__.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the complete descretion of Greenhouse.\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains **not** elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope for this program; usability, functionality, and general programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence and a proof-of-concept will not be accepted as original work and no reward will be given.\n\n__Known Issues Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:32:23.827Z"},{"id":2105542,"new_policy":"__Introduction__\n\nGreenhouse is software-as-a-service that optimizes the recruiting process of companies. We help our customers find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Rewards__\n\nRewards are made for reported and validated security issues according to these standards:\n\n* __Interesting:__ Any vulnerability that could significantly impact the security of our service. Minimum bounty: __$100__.\n* __Severe:__ Any vulnerability that could allow an attacker unauthorized access to confidential customer data. Minimum bounty: __$1,000__.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the complete descretion of Greenhouse.\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains **not** elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope for this program; usability, functionality, and general programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence and a proof-of-concept will not be accepted as original work and no reward will be given.\n\n__Known Issues Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:26:31.354Z"},{"id":2105540,"new_policy":"__Introduction__\n\nGreenhouse is software-as-a-service that optimizes the recruiting process of companies. We help our customers find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Rewards__\n\nRewards are made for reported and validated security issues according to these standards:\n\n* __Interesting:__ Any vulnerability that could significantly impact the security of our service. Minimum bounty: __$100__.\n* __Severe:__ Any vulnerability that could allow an attacker unauthorized access to confidential customer data. Minimum bounty: __$1,000__.\n\n__Guidelines__\n\nRewards are contingent on you operating within these guidelines and are granted at the complete descretion of Greenhouse.\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains *not* elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope for this program; usability, functionality, and general programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence and a proof-of-concept will not be accepted as original work and no reward will be given.\n\n__Known Issues Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:24:45.149Z"},{"id":2105538,"new_policy":"__Introduction__\n\nGreenhouse is software-as-a-service that optimizes the recruiting process of companies. We help our customers find better candidates, conduct more focused interviews, and make data-driven hiring decisions.\n\nThrough this security bounty program we collaborate with security researches worldwide to identify and mitigate security vulnerabilities in our platform.\n\n__Rewards___\n\nRewards are made for reported and validated security issues according to these standards:\n\n* __Interesting:__ Any vulnerability that could significantly impact the security of our service. Minimum bounty: __$100__.\n* __Severe:__ Any vulnerability that could allow an attacker unauthorized access to confidential customer data. Minimum bounty: __$1,000__.\n\n__Guidelines__ \n\nRewards are contingent on you operating within these guidelines and are granted at the complete descretion of Greenhouse.\n\n* Domains elligible for reward: app.greenhouse.io, api.greenhouse.io, boards.greenhouse.io\n* Domains *not* elligible for reward: www.greenhouse.io, info.greenhouse.io, blog.greenhouse.io\n* We do not provide test accounts.\n* Only issues that might impact the security of our data and supporting systems are in-scope for this program; usability, functionality, and general programming bugs are out-of-scope.\n* Social engineering attacks are out-of-bounds and will not be accepted.\n* Any research or testing that impacts our application's performance or exposes confidential information to anyone else is out-of-bounds and will not be accepted.\n* Output copied from any scanning, auditing, or attack tool without supporting evidence and a proof-of-concept will not be accepted as original work and no reward will be given.\n\n__Known Issues Inelligible For Reward__\nThese issues are not elligible for reward due to design decisions, limitations of third-party services we use, etc. We are aware of and tracking these issues:\n* Email configuration (SPF, DKIM, DMARC)\n* SSL/TLS ciphers\n* Diffie-Hellman parameters (Logjam)\n* Clickjacking/UI Redress on boards.greenhouse.io (X-Frame-Options)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T21:24:05.045Z"},{"id":1772835,"new_policy":"Greenhouse provides hiring software for high-growth companies. Our customers range from A-round startups all the way up to large, publicly traded companies. Security is a huge priority for us, yet we understand that a broad range of potential vulnerabilities exist in any complex piece of software. The Greenhouse security bounty program is aimed at helping us to confidentially collaborate with security researchers in identifying and mitigating potential security vulnerabilities. For your efforts as white-hat hackers, we are happy to provide a reward system which recognizes your contributions to our customers' security.\n \nThis bounty program is not concerned with usability or functional bugs, but rather is directed strictly at addressing issues which might impact the security of our data and supporting systems.\n\nWe categorize reported security bugs according to the following standard:\n* __Severe:__ Any bug which could provide an attacker with unauthorized access to confidential customer data. Severe bugs have a minimum bounty of __$1,000__.\n* __Interesting:__ Any bug which could impact the security of our service. Interesting bugs have a minimum bounty of __$100__.\n\n__IMPORTANT NOTES:__ \n* We are not providing test accounts at this time. Please do not ask our support staff for an account.\n* Social engineering attacks are out-of-bounds for our bug program until further notice.\n* Any investigation which impacts our application's performance, or exposes confidential information to any other party is out-of-bounds for reward.\n* Supplying output from a scanning tool without supporting evidence and a PoC to prove the bug exists will make your report not eligible for a reward.\n* www.greenhouse.io, info.greenhouse.io, and blog.greenhouse.io are out-of-bounds for reward.\n* Just to reiterate: the only domains which are in-bounds for this bounty program are app.greenhouse.io, api.greenhouse.io, and boards.greenhouse.io.\n* Reports related to email configuration (i.e SPF, DKIM, and DMARC) are not eligible for bounty\n\nWe encourage you to actively engage with our software to identify vulnerabilities, but, we do expect that no action is taken which would directly impact our application's performance or expose confidential information to any other party in the event that a vulnerability is discovered.  These terms are a contingency of any potential payout.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-08-21T14:42:27.432Z"},{"id":1657085,"new_policy":"Greenhouse provides hiring software for high-growth companies. Our customers range from A-round startups all the way up to large, publicly traded companies. Security is a huge priority for us, yet we understand that a broad range of potential vulnerabilities exist in any complex piece of software. The Greenhouse security bounty program is aimed at helping us to confidentially collaborate with security researchers in identifying and mitigating potential security vulnerabilities. For your efforts as white-hat hackers, we are happy to provide a reward system which recognizes your contributions to our customers' security.\n \nThis bounty program is not concerned with usability or functional bugs, but rather is directed strictly at addressing issues which might impact the security of our data and supporting systems.\n\nWe categorize reported security bugs according to the following standard:\n* __Severe:__ Any bug which could provide an attacker with unauthorized access to confidential customer data. Severe bugs have a minimum bounty of __$1,000__.\n* __Interesting:__ Any bug which could impact the security of our service. Interesting bugs have a minimum bounty of __$100__.\n\n__IMPORTANT NOTES:__ \n* We are not providing test accounts at this time. Please do not ask our support staff for an account.\n* Social engineering attacks are out-of-bounds for our bug program until further notice.\n* Any investigation which impacts our application's performance, or exposes confidential information to any other party is out-of-bounds for reward.\n* Supplying output from a scanning tool without supporting evidence and a PoC to prove the bug exists will make your report not eligible for a reward.\n* www.greenhouse.io, info.greenhouse.io, and blog.greenhouse.io are out-of-bounds for reward.\n* Just to reiterate: the only domains which are in-bounds for this bounty program are app.greenhouse.io, api.greenhouse.io, and boards.greenhouse.io.\n\nWe encourage you to actively engage with our software to identify vulnerabilities, but, we do expect that no action is taken which would directly impact our application's performance or expose confidential information to any other party in the event that a vulnerability is discovered.  These terms are a contingency of any potential payout.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-07-10T20:29:04.846Z"},{"id":1657082,"new_policy":"Greenhouse provides hiring software for high-growth companies. Our customers range from A-round startups all the way up to large, publicly traded companies. Security is a huge priority for us, yet we understand that a broad range of potential vulnerabilities exist in any complex piece of software. The Greenhouse security bounty program is aimed at helping us to confidentially collaborate with security researchers in identifying and mitigating potential security vulnerabilities. For your efforts as white-hat hackers, we are happy to provide a reward system which recognizes your contributions to our customers' security.\n \nThis bounty program is not concerned with usability or functional bugs, but rather is directed strictly at addressing issues which might impact the security of our data and supporting systems.\n\nWe categorize reported security bugs according to the following standard:\n* __Severe:__ Any bug which could provide an attacker with unauthorized access to confidential customer data. Severe bugs have a minimum bounty of __$1,000__.\n* __Interesting:__ Any bug which could impact the security of our service. Interesting bugs have a minimum bounty of __$100__.\n\n__IMPORTANT NOTES:__ \n* We are not providing test accounts at this time. Please do not ask our support staff for an account.\n* Social engineering attacks are out-of-bounds for our bug program until further notice.\n* Any investigation which impacts our application's performance, or exposes confidential information to any other party is out-of-bounds for reward.\n* Supplying output from a scanning tool without supporting evidence and a PoC to prove the bug exists will make your report not eligible for a bounty.\n* www.greenhouse.io, info.greenhouse.io, and blog.greenhouse.io are out-of-bounds for reward.\n* Just to reiterate: the only domains which are in-bounds for this bounty program are app.greenhouse.io, api.greenhouse.io, and boards.greenhouse.io.\n\nWe encourage you to actively engage with our software to identify vulnerabilities, but, we do expect that no action is taken which would directly impact our application's performance or expose confidential information to any other party in the event that a vulnerability is discovered.  These terms are a contingency of any potential payout.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-07-10T20:28:36.291Z"}]