Bug Bounty Program

Recruitly is committed to protecting our customers data. We strongly believe that close partnerships with researchers make customers more secure. Security researchers play an integral role in the ecosystem by discovering vulnerabilities missed in the software development process.

Bounty payments are determined by the level of access or execution achieved by the reported issue, modified by the quality of the report.

Program Rules

  • Automated testing is not permitted.
  • Test only with your own account(s) when investigating bugs, and do not interact with other accounts without the consent of their owners.
  • You must be the first person to report the issue to us. We will review duplicate bugs to see if they provide additional information, but otherwise only reward the first reporter.
  • We award bounties at the time of fix, and will keep you posted as we work to resolve them.
  • Report identified bugs to security@recruitly.io
  • We pay bounty awards in Pound Sterling via Paypal.

Bug Bounty Rewards

The following guidelines give you an idea of what we usually pay out for different classes of bugs. Low-quality reports may be rewarded below these tiers, so please make sure that there is enough information for us to be able to reproduce your issue. Step-by-step instructions including how to reproduce your issue starting out by creating a fresh Recruitly account are preferred. Screenshots and videos are also helpful, but please make sure to not make these public before submitting them to follow our program’s rules.

There is no maximum reward – particularly creative or severe bugs will be rewarded accordingly. Depending on the severity of the bug, and the quality of your report, we may pay a lower-tier bug out at a higher level.

Severity TierReward

Tier 3: Low Severity Bugs

  • Mixed content issues
  • “Tab-Nabbing” or other rel=”noopener” bugs
  • Self-XSS (XSS requiring interaction other than browsing to exploit)
  • Server misconfiguration or provisioning errors
  • And other low-severity issues

Tier 2: Medium Severity Bugs

  • Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
  • Broken Authentication affecting a single account
  • Privilege Escalation affecting a single account
  • SSRF to an internal service, hosted by Recruitly
  • Information leaks or disclosure (including customer data)
  • And other medium-severity issues

Tier 1: High Severity Bugs

  • XSS
  • Information leaks or disclosure of customer data

Tier 0: Critical Severity Bugs

  • SQL Injection
  • Remote Code Execution
  • Privilege Escalation affecting all accounts
  • Broken Authentication affecting all accounts
  • SSRF to an internal service, with extremely critical impact (e.g. immediate and direct security risk)
  • And other critical-severity issues

What’s In Scope

  • recruitly.io


The following bugs are unlikely to be eligible for a bounty:

  • Issues found through automated testing
  • “Scanner output” or scanner-generated reports
  • Publicly-released bugs in internet software within 3 days of their disclosure
  • “Advisory” or “Informational” reports that do not include any Recruitly-specific testing or context
  • Vulnerabilities requiring physical or remote access to the victim’s unlocked device
  • Denial of Service attacks
  • Brute Force attacks
  • Spam or Social Engineering techniques, including:
    • SPF and DKIM issues
    • Content injection
    • Hyperlink injection in emails
    • IDN homograph attacks
    • RTL Ambiguity
  • Content Spoofing
  • Issues relating to Password Policy
  • Full-Path Disclosure on any property
  • Version number information disclosure
  • Clickjacking on pre-authenticated pages, or the non-existence of X-Frame-Options, or other non-exploitable clickjacking issues (An exploitable clickjacking vulnerability requires a) a frame-able page that is b) used by an authenticated user and c) which has a state-changing action on it vulnerable to clickjacking/frame re-dressing)
  • CSRF-able actions that do not require authentication (or a session) to exploit
  • Reports related to the following security-related headers:
    • Strict Transport Security (HSTS)
    • XSS mitigation headers (X-Content-Type and X-XSS-Protection)
    • X-Content-Type-Options
    • Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
  • Bugs that do not represent any security risk – these should be reported to support@recruitly.io.
  • Security bugs in help.recruitly.io – this site runs on Crisp.chat, so if you find vulnerabilities in the Crisp.chat service, please see Crisp.chat’s bounty program for reporting details.
  • Security bugs in roadmap.recruitly.io – this site runs on Prodcamp so if you find vulnerabilities in the Prodcamp service, please see Prodcamp’s bounty program for reporting details.
  • Security bugs in whatsnew.recruitly.io – this site runs on Announcekit.app so if you find vulnerabilities in the Announcekit.app service, please see Announcekit.app’s bounty program for reporting details.
  • Security bugs in screencasts.recruitly.io – this site runs on Screencast-O-Matic so if you find vulnerabilities in the Screencast-O-Matic service, please see Screencast-O-Matic’s bounty program for reporting details.
  • Security bugs in third-party applications or services built on the Recruitly API – please report them to the third party that built the application or service
  • Submissions from former Recruitly employees within one year of their departure from Recruitly

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.